backOn September 3, 2025, the General Court of the European Union dismissed Philippe Latombe’s annulment action against the Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF)1Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 and confirmed that, at the time of adoption, the United States (US) ensured an adequate level of protection for European Union (EU) personal data transferred to DPF-certified organizations2 Judgment of the General Court in Case T-553/23, Latombe v Commission . The Court also underscored that U.S. signals-intelligence activities are subject to ex-post judicial oversight by the Data Protection Review Court.
This ruling follows years of uncertainty after the CJEU’s 2020 Schrems II decision, which invalidated the predecessor Privacy Shield framework. It supports the work done by the US and the EU to get a stronger deal; this is a very positive outcome, even if uncertainties remain.
Background
The EU-US Data Privacy Framework was adopted by the European Commission in July 2023, following negotiations with the US to address concerns raised by the Court of Justice of the European Union (CJEU) in Schrems II. The framework sought to strengthen safeguards around US government access to EU personal data and created a new Data Protection Review Court to provide redress for EU citizens.
Shortly after adoption, legal challenges emerged, including the present action, which alleged that the framework still fell short of EU standards for data protection and fundamental rights. According to the applicant, the Data Protection Review Court was neither impartial nor independent, but dependent on the executive; and, the practice of US intelligence agencies of collecting in bulk personal data in transit from the EU, without the prior authorization of a court or an independent administrative authority, was not circumscribed in a sufficiently clear and precise manner, therefore, being illegal.
But What Did the General Court Say?
While the General Court found that the action was inadmissible on procedural grounds, it did not only knock the case out on standing but it explicitly confirmed adequacy “on the date of adoption”.
The Court also rejected the plea which alleged that the Data Protection Review Court was not independent, stressing that its members are appointed from outside the executive, enjoy protections against removal, and their work cannot be hindered or influenced either by Attorney General nor intelligence agencies.
Further, it also turned down the claim that US bulk data collection is unlawful under EU standards. It clarified that Schrems II does not require prior authorization by an independent authority for such collection; what matters is ex post judicial oversight. In that sense, under the new framework, US intelligence activities are indeed subject to review by the Data Protection Review Court. On that basis, the Court affirmed that the US law provides a level of protection for bulk data collection “essentially equivalent” to EU law.
Practical Challenges – The EU Data Act Is Testing Existing Practices
The General Court’s ruling is both a green light and a warning sign: safe to proceed, but unwise to relax. While for the moment this is very much needed great news for the framework, certainly, this is not the last word. Not only may Latombe appeal to the CJEU, but also other advocacy groups, such as NOYB may also come up with strategic cases against the framework. However, this decision provides a cautionary lesson for future challengers by effectively endorsing the framework.
It must also be noted that the regulatory trajectory remains positive but also conditional. As pointed out by the Court, the European Commission is required to continuously monitor the application of the legal framework. This means that changes in the legal framework in force in the US at the time of adoption might cause the Commission to suspend, amend or repeal the contested decision or limit its scope, if necessary. Once more, regularly monitoring legislative developments is key to success.
For certified organizations that rely on the framework, this provides further certainty regarding the safety and continuation of transfers. In addition, for those entities relying on Standard Contractual Clauses (SCCs) having to undertake Data Transfer Impact Assessments (DTIAs), this decision also helps them by confirming that US surveillance practices, when coupled with the Data Protection Review Court’s ex post oversight, are regarded by the EU Courts as offering a level of protection “essentially equivalent” to EU law. This judicial recognition can be used in DTIAs to demonstrate that transfers to the US are not inherently high-risk, thereby reducing the burden of extensive supplementary measures.
Finally, this decision underscores that international data transfers remain a high-stakes and fast-moving area. With supervisory authorities actively scrutinizing cross-border flows and with US surveillance legislation still subject to political and judicial shifts, organizations should keep an eye on what is going on. For those who rely on the DPF, having a fallback SCCs in the back pocket might prove to be helpful (even if cumbersome). Whilst there are many challenges to transatlantic flows, personal data are for now free to travel. This can only be good news.