/>iOn September 3, 2025, the European General Court (General Court) dismissed an action challenging the EU–U.S. Data Privacy Framework (DPF), developed to provide U.S. organizations with a reliable means to transfer personal data from the United States to the European Union, consistent with EU law.
The General Court’s judgment in case T-553/23, Philippe Latombe v European Commission, confirms that “the United States ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country,” the Court’s press release states. The General Court and the Court of Justice make up the Court of Justice of the European Union (CJEU).
This decision means that entities that have self-certified compliance with the DPF may, for now, continue to rely on that mechanism for personal data transfers to the United States from the European Union (EU). The self-certification process includes, for example, a description of an organization’s activities with regard to all personal data received from the European Union in reliance on the EU-U.S. DPF, the organization’s policies covering such data, the types of data processed and, if applicable, the type of third parties to which it discloses such personal information.
Philippe Latombe, a politician in the French National Assembly (the lower house of the French Parliament), asserted in his September 2023 complaint that the DPF lacks a guarantee of the right to an effective remedy and access to an independent tribunal. The U.S. Data Protection Review Court (DPRC)—which reviews determinations of a Civil Liberties Protection Officer (CLPO) of the Office of the Director of National Intelligence in the United States—is not an impartial or independent tribunal, is dependent on the executive, and does not offer guarantees similar to those required by EU law, Latombe contended.
The DPRC, established by then-Attorney General Merrick Garland in 2022, “was established by an act of the United States executive and not by law,” the 2023 complaint argues.
Latombe, a user of platforms that collect personal data for transfer to the United States, also asserted that the practice of U.S. intelligence agencies of collecting bulk personal data in transit from the EU, without prior authorization of a court or independent administrative authority, was illegal.
Latombe’s action for annulment was dismissed by the General Court, however, which found adequate “safeguards and conditions to ensure the independence” of the DRPC. And the General Court found nothing in EU case law—specifically Schrems II, discussed below—“to suggest that collection must necessarily be subject to prior authorization issued by an independent authority.”
The Data Protection Framework
The EU General Data Protection Regulation (GDPR) provides that the transfer of European Economic Area (EEA) personal data is prohibited unless the transfer relies on a so-called “adequacy decision,” or the company transferring the data relies on another valid data transfer mechanism, e.g., Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) as determined by the European Commission (EC). An adequacy decision is adopted by the EC and recognizes that a non-EEA country or organization within a non-EEA country ensures an adequate level of protection, allowing personal data to flow freely from the EEA to the applicable entity in a non-EEA country. The current DPF is one such adequacy decision that allows for the unencumbered importation of personal data from the EEA into the United States without reliance on other transfer mechanisms.
The DPF, and the Latombe decision in particular, are significant given the somewhat tortuous path that it has taken to get to a place where the adequacy of the safeguards has been recognized by a European Court. Although the decision may be appealed to the CJEU within two months, the decision represents the first measured assessment that current privacy safeguards are adequate for data protection transfers. It moves beyond, at least for the time being, the uncertainty and organizational frustrations that were attributable to two significant failed attempts, Schrems I and Schrems II, to resolve privacy concerns regarding the importation of personal data from the EU to the United States.
The Tortured History of the EU-U.S. Data Privacy Transfer Protections
The Schrems decisions represent landmark rulings by the CJEU that fundamentally reshaped the landscape of transatlantic data transfers. Named after Austrian privacy activist Maximilian Schrems, these cases challenged the adequacy of U.S. data protection measures and ultimately invalidated two successive EU–U.S. data transfer frameworks, forcing a complete restructuring of how personal data flows between Europe and the United States until the new Data Privacy Framework was instituted in 2023.
Schrems I (2015): The Fall of Safe Harbor
The Safe Harbor framework, established in 2000, provided a mechanism for U.S. companies to self-certify compliance with EU data protection standards, thereby enabling lawful transfers of personal data from the EU to the United States. Under this system, companies could avoid the complex requirements of obtaining explicit consent or implementing other transfer mechanisms by simply adhering to Safe Harbor principles.
Schrems, concerned about Facebook’s data handling practices in light of Edward Snowden’s revelations about National Security Agency surveillance programs, filed a complaint with the Irish Data Protection Commissioner. His argument centered on the fundamental incompatibility between U.S. surveillance laws and EU privacy rights, particularly following disclosures about programs like the Planning Tool for Resource Integration, Synchronization, and Management (PRISM) that allowed U.S. intelligence agencies broad access to data held by U.S. companies.
In October 2015, the CJEU delivered a devastating blow to the Safe Harbor framework. The court ruled that the data protection framework failed to provide adequate protection for EU citizens’ personal data transferred to the United States and U.S. surveillance programs, particularly those allowing indiscriminate access to personal data, were incompatible with EU fundamental rights, noting, moreover, that EU citizens had no meaningful legal recourse against U.S. government access to their data. The court emphasized that national security exceptions could not justify unlimited access to personal data, establishing that any data transfer mechanism must respect the “essence” of fundamental rights to privacy and data protection.
The invalidation of the framework created immediate legal uncertainty for thousands of companies engaged in transatlantic data transfers. Organizations scrambled to implement alternative transfer mechanisms, primarily SCCs and BCRs, while regulators provided limited guidance during the transition period.
Schrems II (2020): Privacy Shield’s Demise
Following Safe Harbor’s invalidation, the EU and United States negotiated the Privacy Shield framework, which came into effect in 2016. This new mechanism attempted to address the CJEU’s concerns through enhanced oversight mechanisms, stronger commitments from U.S. companies, and additional safeguards regarding government access to data. Undeterred by Privacy Shield’s enhanced protections, Schrems continued his legal challenge, again targeting Facebook’s data transfers to the United States. His complaint maintained that fundamental issues with U.S. surveillance laws remained unresolved, making any adequacy decision premature.
In July 2020, the CJEU issued its decision delivering another landmark ruling. The court found that Privacy Shield suffered from the same fundamental flaws as Safe Harbor, particularly regarding U.S. government surveillance powers. Moreover, while confirming the validity of the use of SCCs in principle, the court imposed significant additional obligations including the undertaking of transfer impact assessments to evaluate whether adequate protection can be ensured in the destination country.
The Schrems decisions extend far beyond EU-U.S. relations, affecting global data transfer practices. The CJEU’s stringent interpretation of adequacy has implications for transfers to any third country whose surveillance laws may conflict with EU privacy standards. Organizations face unprecedented compliance burdens following Schrems II. The requirement to conduct transfer impact assessments for each third-country transfer, combined with the need to implement supplementary measures where protection gaps exist, has created significant operational complexity.
The invalidation of Privacy Shield necessitated renewed negotiations between the EU and United States. These discussions, complicated by ongoing concerns about U.S. surveillance laws and the lack of comprehensive federal privacy legislation in the United States, required addressing the fundamental issues identified in both Schrems decisions.
The current EU-U.S. Data Privacy Framework, announced in 2022 and formalized through the EU adequacy decision in 2023, attempts to address these concerns through stronger limitations on U.S. intelligence agencies' access to personal data, the creation of new oversight mechanisms, including an independent Data Protection Review Court, and improved procedures for EU individuals to seek redress for improper data handling.
Conclusion
Despite these improvements, and this positive EU court decision, significant questions remain about the DFP’s long-term viability. Critics argue that fundamental tensions between U.S. national security imperatives and EU privacy rights persist. Legal challenges to the new framework are anticipated, potentially creating another cycle of invalidation and renegotiation. As to the Latombe decision, it is likely that appeal will be taken to the CJEU.
The “ghosts” of the Schrems I and II decisions may continue to haunt this current framework. If appealed, it may again showcase the CJEU’s willingness to prioritize fundamental rights over commercial convenience and diplomatic arrangements.
