EU General Court confirms United States ensured an adequate level of protection for EU personal data transfers to the US.
On 3 September 2025, the EU General Court delivered its judgment in Case T-553/23, Latombe v. Commission. The court dismissed Latombe’s action for annulment of the EU-US Data Privacy Framework (DPF) and upheld the European Commission’s Adequacy Decision (Adequacy Decision) in relation to the DPF, which allows businesses to freely transfer personal data subject to the EU GDPR to US organisations certified under the DPF. This ruling provides welcome additional certainty on trans-Atlantic data flows.
Overview
Admissibility
Although there were doubts as to whether Latombe’s annulment action would be considered admissible, not least because of the need for an applicant to have standing to challenge an EU act (e.g., when an act is of direct and individual concern to them), the court expressly did not decide on this issue. Instead, the court considered that, in the interests of the sound administration of justice, it was necessary to examine the merits of the action without first ruling on its admissibility because Latombe’s action was in any event unfounded in substance.
Substance
The court dismissed each of the four arguments underpinning Latombe’s annulment action, focusing in particular on the various measures implemented in the US in connection with the DPF under Executive Order 14086 (EO), including limitations and safeguards on US intelligence activities and the establishment of the Data Protection Review Court (DPRC). The court also emphasised that, for the purposes of assessing the adequacy of protections in a third country, the third country does not have to provide an identical level of protection to the EU, nor use the same means of protection, so long as the means used are effective — the key question is whether the protection provided is essentially equivalent to the EU, which the court found it was in respect of the DPF.
- Right to effective remedies: Latombe alleged that the Commission had infringed Article 47 (Right to an effective remedy and to a fair trial) of the Charter of Fundamental Rights of the EU (the Charter), claiming that the DPRC is not an independent and impartial tribunal but “a para-judicial body dependent on the executive”, and that the DPRC was not “previously established by law” as it “was not created by a law adopted by the United States Congress, but by an act of the executive, namely a decision of the Attorney General”. The court rejected each of Latombe’s arguments. The court reviewed the composition, oversight mechanisms, and powers of the DPRC and found it to be an independent and impartial tribunal that provides an effective remedy. The court relied on various safeguards to ensure the independence of judges on the DPRC, including provisions that they can only be dismissed by the US Attorney General and only for cause, and that intelligence agencies may not hinder or improperly influence their work. Further, judges on the DPRC are appointed in consultation with the Privacy and Civil Liberties Oversight Board (PCLOB), which, while established within the executive, is an independent agency composed of a bipartisan board of members. The court specifically noted that the deficiencies the Court of Justice of the EU (CJEU) identified in Schrems II — as regards the lack of guarantees relating to the dismissal by the executive of the Privacy Shield Ombudsman and the lack of binding nature of his decisions — have been remedied by the EO.
- Bulk collection of personal data by intelligence agencies: Latombe argued that the Commission had infringed Article 7 (Respect for private and family life) and Article 8 (Protection of personal data) of the Charter given the “bulk collection” by US intelligence agencies of personal data transferred to DPF-certified US organisations was not subject to prior judicial oversight and was not governed by sufficiently clear and precise rules. Again, the court rejected each of Latombe’s arguments in this regard. The court noted that “bulk collection” of personal data, meaning “a collection carried out in a generalised and indiscriminate manner without restrictions or safeguards”, “is not authorised in the United States and cannot be carried out either in or outside its territory”, therefore the subject matter of Latombe’s action in relation to Articles 7 and 8 was limited to “bulk collection, by US intelligence agencies, of personal data in transit from the Union to DPF organisations”. The court also rejected the argument that, as a matter of EU law, any such bulk collection needed to be subject to prior authorisation issued by an independent authority. Instead, the court found that judicial oversight can be provided after the event, and decided that US law complies with this requirement on the basis that the collection of personal data is subject to ex post judicial oversight by the DPRC. Given the various safeguards and limitations on intelligence activities contained in the EO, including with regards to purpose-limitation, proportionality requirements, and data minimisation, the court also found that “it cannot validly be maintained that the implementation of bulk collection is not framed in a sufficiently clear and precise manner”. Moreover, the court held that the limited power of the US president to update the list of specific purposes of bulk collection is also not contrary to the requirements of EU law.
- Safeguards against automated decision-making: Latombe claimed that the Adequacy Decision failed to address fully automated decisions, as governed by Article 22 GDPR, and that this called into question the Commission’s conclusion that the US offers an adequate level of protection of personal data. The court gave this argument short shrift. It found that in many cases, the GDPR’s provisions regarding automated decision-making would apply to controllers and processors processing personal data in the US, owing to the extraterritorial scope of the GDPR. In any event, US laws offer sectoral protections against automated decision-making similar to those under the GDPR in areas such as the granting of credit, mortgage offers, recruitment decisions, employment, housing and insurance. The court concluded that these laws, although they do not have the same general application as Article 22 GDPR, provided an adequate level of protection.
- Security of personal data: The court also dealt briefly with Latombe’s final argument. It found that while organisations certified under the DPF are not subject to data security obligations identical to those under Article 32 GDPR, they are subject to essentially equivalent security obligations under the DPF.
Accordingly, the court rejected Latombe’s action for annulment in its entirety, upholding the validity of the DPF and the Adequacy Decision as a basis for EU-US data transfers under the GDPR.
Implications
The court’s unequivocal dismissal of Latombe’s action has reduced any immediate concerns around the regulatory uncertainty and disruptive enforcement action that could have arisen from an annulment of the DPF and the Adequacy Decision. The fact that the court was prepared to sidestep questions on admissibility may also indicate confidence in its conclusions on the adequacy of US law under the DPF. While Latombe may appeal the court’s judgment to the CJEU, any such appeal proceedings would take years to conclude. In the meantime, absent any other challenges, organisations can continue to rely on the DPF and the Adequacy Decision for trans-Atlantic personal data transfers to the US with renewed confidence.
