On 3 September 2025, the General Court of the European Union (the “General Court”) dismissed an action by Phillipe Latombe, a member of the French Parliament, to annul the EU-US Data Privacy Framework (“DPF”), thereby upholding the framework for the transfer of personal data between the European Union and the United States. The DPF is also relevant to the transfer of personal data between the UK and the United States thanks to the UK Extension to the DPF. The news is likely to be welcomed by those organisations touched by the transatlantic flow of personal data and for whom the DPF is of critical importance.
Background
On 10 July 2023, the European Commission (the “Commission”) adopted an adequacy decision for the DPF which provides for the EU-US transfer of personal data without the need for additional appropriate safeguards (such as the EU’s standard contractual clauses (the “SCCs”) and the UK’s international data transfer agreement (or “IDTA”)).
The previous regime, the Privacy Shield, was declared invalid by the courts in the 2022 Schrems II decision following a review of US surveillance laws. To address these concerns and foster transatlantic data flows the DPF introduced new safeguards for personal data transferred from the EU to the US, importantly including a limitation on the ability of US intelligence services to access EU personal data to what is necessary and proportionate to a specific national security goal. Additionally, the DPF provides mechanisms for EU individuals to use where they are concerned about the transfer of their personal data to the US, these include the Data Protection Review Court (“DPRC”) which can investigate complaints raised by EU individuals.
US organisations can join the DPF by self-certifying with the US Department of Commerce that they comply with a set of privacy obligations. In particular, a US organisation must have a suitable privacy policy that conforms with the DPF and must identify a recourse mechanism for complaints. Once an organisation self-certifies it should comply immediately with the DPF privacy obligations and must repeat this self-certification on an annual basis to be able to continue to rely on the DPF.
Organisations that need to export personal data to the US can check, via the US Department of Commerce’s website for the DPF (available here), whether the US organisation it plans to transfer personal data to has the benefit of the DPF and therefore such personal data can be transferred without the need for additional appropriate safeguards, such as the SCCs or the IDTA.
The Challenge
Mr Latombe challenged the DPF on the basis that it fails to provide the required level of protection. He argued that:
- the DPRC is neither impartial nor independent because it forms part of the US executive branch and therefore does not provide a sufficient redress mechanism for individuals; and
- US intelligence agencies’ bulk collection of personal data in transit from the EU is unlawful because such collection is not subject to prior judicial or independent oversight.
The General Court dismissed both arguments and upheld the Commission’s original adequacy decision. It found that the DPRC’s independence was not of concern because judicial appointments follow a rigorous process, including oversight from the Privacy and Civil Liberties Oversight Board, and such judges can only be dismissed by the Attorney General for cause – therefore the DPRC remains a suitable mechanism for individual redress under the DPF. On bulk data collection, the General Court found that the US approach of ‘after the event’ judicial review is similar to that of many jurisdictions and therefore it is acceptable that prior authorisation is not strictly necessary for such bulk intercept. It is not necessary for the US legal position to be identical to that in the EU, just that the level of legal protection is essentially equivalent to that guaranteed by EU law.
What’s next?
The General Court repeatedly noted that its assessment was highly context-dependent and emphasised the need for the Commission to monitor and review its adequacy decision on an ongoing basis. The General Court’s decision can still be appealed to the Court of Justice of the European Union and any US developments that may impact the independence of the DPRC or increase concerns regarding unlawful US government access to personal data will increase the likelihood of further legal challenges to the DPF and will factor into the Commission’s ongoing reviews of the adequacy of the DPF.
The ruling does provide greater certainty to organisations that rely on the DPF for transatlantic data transfers, at least for the time being. However, such organisations should note that this is an area that is constantly evolving and should therefore continue to monitor the risks of data transfers to the US to ensure compliance with relevant data protection laws.
If you have any questions relating to the DPF or data transfers generally, please do not hesitate to get in touch at [email protected].
