On 3 September 2025, the General Court (GC) of the European Union's Court of Justice dismissed claims in Latombe v. Commission to annul the EU-U.S. Data Privacy Framework (DPF). In doing so, the GC looked past standing issues and decided on the merits that DPF satisfies the EU's standards for data protection. The decision is a strong endorsement of the negotiated approach for resolving perceived discrepancies in protections applied to EU personal data sent to the U.S., and a substantial initial victory for stable transatlantic data flows.
Background on EU Data Transfers Requirements and the DPF
Chapter V of the GDPR governs the transfers of personal data to third countries or international organisations outside the EU. Such international transfers shall only take place if appropriate legal safeguards are applied, such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). Under Art. 45 GDPR, data transfers covered by the scope of an adequacy decision are permitted without further legal safeguards being necessary.
On 10 July 2023, the European Commission (EC) adopted an adequacy decision on data transfers under the EU-U.S. Data Privacy Framework (DPF). The DPF is a certification mechanism for U.S. organizations backed with U.S. Government commitments governing transatlantic transfers of personal data between the EU and the U.S. The EC found that the DPF, as bolstered by Executive Order 14086 (EO 14086) that ordered reforms of U.S. intelligence activities and established new redress mechanisms, provides an adequate level of protection for personal data transferred from the EU to organizations in the U.S. (see our coverage of the DPF adoption here).
The DPF succeeds two predecessor adequacy decisions of similar mechanisms to cover transatlantic data transfers, namely the “Privacy Shield” that was invalidated by the European Court of Justice in 2020 (in the so-called “Schrems II” ruling) and the “Safe Harbor” that was similarly invalidated in 2015 (in the so-called “Schrems I” ruling). In both cases, the CJEU found that the U.S. Government’s potential “bulk” surveillance of EU data subjects whose personal data had been transferred to the U.S. was incompatible with EU law.
Background on Latombe v. Commission
On 6 September 2023, Philippe Latombe, a French Member of Parliament and long-standing advocate of European digital sovereignty, and Commissioner of the French Data Protection Authority (CNIL), filed an action for annulment of the DPF before the GC (Case T-553/23; see our summary of the action here).
Latombe based his action on Art. 263(4) TFEU, which allows individuals to challenge EU acts that are of direct and individual concern to them. This threshold is a high bar: while direct concern is typically easier to demonstrate for adequacy decisions (given their immediate legal effects on data subjects), individual concern is more demanding. The admissibility of Latombe’s claim was therefore uncertain.
In his action, Latombe addressed issues that already lead to the invalidation of the Privacy Shield Framework, namely guarantees for effective and independent judicial protection for data subjects under U.S. law and the legality of the bulk collection of data by U.S. intelligence authorities (Case C-311/18; see our coverage here).
In particular, he raised two principal challenges to the validity of the DPF:
- Independence of the Data Protection Review Court (DPRC): Latombe argued that the DPRC newly established under the DPF (see the DPRC website here) and competent to review complaints from EU data subjects lacked the guarantees of impartiality and independence required under EU fundamental rights standards as it is a part of the U.S. executive branch.
- Legality of bulk data collection by U.S. intelligence agencies: Latombe further submitted that the practices of U.S. intelligence agencies on the bulk collection of personal data in transit from the EU to the U.S. amount to disproportionate and unlawful interference with the rights to privacy and data protection, in particular as they are performed without prior authorisation of a court or an independent administrative authority.
On this basis, Latombe argued that the DPF does not guarantee a level of protection essentially equivalent to that ensured within the EU.
Dismissal of Latombe’s Action for Annulment by the GC
On 3 September 2025, the GC released its decision that the DPF is valid and therefore dismissed Latombe’s action for annulment of the DPF.
On the procedural aspects, the GC crucially did not dismiss the case on procedural grounds but examined the substantive pleas in law and ruled on the merits. In a very unusual way, the GC indeed analyzed the request on its merits without first ruling on its admissibility, which it is authorized to do “in the interests of the proper administration of justice” and justified by the GC given the circumstances at stake. The admissibility of Latombe’s request has therefore not been ruled by the GC.
The GC decision is also very interesting regarding the following preliminary points it identified as needing clarification or reminder:
- “Essentially equivalent” protection: Before analyzing the issues raised by Latombe, the GC clarified, as a preliminary point, that the expression “adequate level of protection” is understood to mean that the third country law must ensure a level of protection of fundamental rights and freedoms “essentially equivalent” to the one offered within the EU. A strict similarity or absolute equivalence between law is therefore not required, only an essential equivalence is deemed sufficient.
- Date of assessment: The GC also specified that, according to settled case law, the legality of an EU act shall only be assessed at its time of adoption, and that factual and legal circumstances subsequent to the adoption of an EU act cannot affect its validity. The GC’s assessment of the DPF is therefore only based on the information available at the time of assessment of the DPF.
On the merits, the GC first analyzed the point raised by Latombe regarding the DPRC independence and sided with the EC’s finding as part of its DPF Adequacy decision that the DPRC satisfies the EU’s requirement that redress be available through an independent judicial body.
The EC confirmed the DPRC’s independence and underlined that such independence is guaranteed by several safeguards and conditions:
“In particular, the executive branch (the Attorney General and intelligence agencies) are barred from interfering with or improperly influencing the DPRC’s review. The DPRC itself is required to impartially adjudicate cases and operates according to its own rules of procedure (adopted by majority vote). Moreover, DPRC judges may be dismissed only by the Attorney General and only for cause (i.e. misconduct, malfeasance, breach of security, neglect of duty or incapacity), after taking due account of the standards applicable to federal judges laid down in the Rules for Judicial-Conduct and Judicial-Disability Proceedings.”
Among its arguments for confirming independence and impartiality of the DPRC, the GC highlighted in its decision that DPRC judges are nominated following a strict procedure and must have specific professional experience. Based on the arguments raised by Latombe, the decision also details the independence factors of the Privacy and Civil Liberties Oversight Board (PCLOB), which is consulted before the DPRC judges’ appointments. The GC also found convincing the additional DPF safeguard that the EC is constantly monitoring the applicability of the legal framework on which the contested decision to the DPRC has been taken, and may decide to suspend, amend or repeal the contested decision where it has evidence that an adequate level of protection is no longer ensured.
The GC’s finding is significant because a key element in the CJEU’s invalidation of the Privacy Shield in Schrems II was the lack of appropriate judicial redress.
Regarding the legality of the bulk data collection by U.S. intelligence agencies, the GC also highlighted that there is no requirement under the CJEU’s Schrems II standard that data collection must be subject to prior authorization of an independent authority and that a lack of prior authorization may be outweighed by other safeguards. The GC specified in this case that ex post judicial reviews of decisions authorising such collection of data are performed in line with the Schrems II standard. The GC also highlighted that guardrails on bulk data collection by U.S. surveillance authorities are applied by virtue of U.S. law, including the EO 14086 safeguards. It is worth noting that the GC relied substantially on ECtHR case law regarding mass surveillance in reaching its findings.
The GC concluded that the bulk collection of personal data is strictly regulated and that U.S. law does not fail to ensure an appropriate level of legal protection essentially equivalent to that guaranteed by EU law.
Take-Aways: What the Decision Means for Companies
The GC’s judgment, while potentially not final as an appeal is still possible, confirms that the U.S. ensured an adequate level of protection for personal data transferred from the EU on the date of adoption of the EC’s adequacy decision on the DPF.
As a consequence, the EC’s adequacy decision on the DPF remains a valid mechanism for data transfers from the EU to the U.S. under Chapter V GDPR. Thereby, the judgment brings legal certainty for:
- companies and organizations that depend on uninterrupted EU-U.S. data flows in their daily practice; as well as
- U.S. organizations that rely on certification to the DPF for compliant data transfers from the EU.
The ruling, in its endorsement of the mechanisms established pursuant to EO 14086 to ensure essentially equivalent protections for EU individuals, also bolsters transatlantic data transfers effectuated through appropriate safeguards (e.g., SCCs). This is because EO 14086 re-framed baseline U.S. intelligence activities regardless of the context in which the EU personal data sought though those activities are transferred to the U.S.
The ruling is also relevant for the Swiss–U.S. Data Privacy Framework, which was adopted in parallel to the EU decision and mirrors many of its key elements. While Switzerland is not bound by the GC’s judgment, the GC’s confirmation of adequacy under the DPF strengthens the legitimacy and perceived stability of the Swiss framework as well. Multinational companies often implement both frameworks in tandem to cover transfers from the EU and Switzerland to the U.S.
Similarly, the ruling has significant practical implications for transfers to the US from the UK, given that the UK Government adopted a mirror mechanism entirely based on the DPF. While the CJEU decisions are technically not binding on the UK, an annulment of the DPF would have put the UK in a very delicate situation to either uphold the decision or otherwise differ from the EU's position. Therefore, by dismissing Latombe's action, the GC has also released the UK Government and any UK companies relying on the DPF for data transfers from both political and legal uncertainty.
The fact that the GC ruled on the merits and did not limit its decision on procedural grounds, concluding that the DPF is a valid mechanism for transatlantic transfers, is also a strong signal for future actions that may be carried out to seek the annulment of the DPF.
Next Steps
While the judgment is a decisive first-stage victory for transatlantic data transfer stability, the door remains open to future turbulence: the judgment may be appealed to the CJEU within two months and ten days of notification of the decision. The appeal must be limited to points of law only.
In addition, while the GC’s assessment considered only laws and facts relevant at the time of DPF adoption, other assessments may consider later developments, such as U.S. President Trump’s firing of PCLOB members. Such developments, if they are resolved with outcomes that undermine the GC’s fundamental assumptions, could strain essential elements of its reasoning.
Businesses should continue to monitor developments with an eye to anticipating novel factors that may strain status quo interpretations of the legal landscape. Given a possible appeal as well as the monitoring of the DPF on an ongoing basis by the EC, companies and organizations relying on the DPF should also maintain contingency plans, such as Standard Contractual Clauses or Binding Corporate Rules, to mitigate transfer risks in case of future legal or political uncertainty, triggering further invalidation claims.
[View source.]
