Deutsch
EU General Court Upholds the EU-U.S. Data Privacy Framework: Key Takeaways for Businesses
On 3 September 2025, the General Court (GC) of the European Union’s Court of Justice handed down a landmark ruling in Latombe v. Commission, dismissing claims to annul the EU-U.S. Data Privacy Framework (DPF). The GC held that the DPF satisfies EU standards for data protection in connection with cross-border data transfers to the U.S.A.
Background: EU Data Transfers and the DPF
Under Chapter V of the GDPR, transfers of personal data outside the EU are permitted only where adequate safeguards exist. Tools such as Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) are widely used, but Article 45 GDPR allows unrestricted transfers where the European Commission (EC) has adopted an adequacy decision.
On 10 July 2023, the EC adopted an adequacy decision for the EU-U.S. Data Privacy Framework (DPF). Backed by U.S. government commitments and reforms under Executive Order 14086 (EO 14086), the DPF created a certification mechanism for U.S. organizations and sought to remedy past deficiencies identified by EU courts.
The DPF follows two failed predecessors:
-
Safe Harbor (invalidated in Schrems I, 2015), and
-
Privacy Shield (invalidated in Schrems II, 2020).
Both were struck down because U.S. surveillance practices were deemed incompatible with EU fundamental rights.
The Challenge:
On 6 September 2023, Philippe Latombe, a French MP and member of the French Data Protection Authority (CNIL), filed an action seeking annulment of the DPF (Case T-553/23).
Latombe argued that the DPF failed to address the EU’s standard of an “essentially equivalent” level of data protection in the recipient country (USA), raising two key objections:
-
Independence of the Data Protection Review Court (DPRC): He claimed the DPRC lacked impartiality because it operates within the U.S. executive branch.
-
Legality of bulk data collection: He argued U.S. intelligence agencies’ practices would amount to disproportionate and unlawful interference with privacy rights, as they would not be subject to prior judicial authorization.
The General Court’s Decision
Without addressing questions of admissibility, the GC assessed the merits “in the interests of the proper administration of justice.”
The GC’s Key Findings
-
Adequacy Standard: The Court reaffirmed that an “adequacy” of the level of data protection requires an “essentially equivalent” protection, not identical laws.
-
Timing: The validity of the DPF should be assessed as of the date of its adoption, meaning later political developments could not retroactively undermine the EC’s adequacy decision.
-
DPRC Independence: The GC upheld the EC’s assessment that the DPRC would be sufficiently independent, citing safeguards such as impartial procedures, appointment standards, and dismissal protections. Importantly, the GC noted ongoing Commission monitoring as an additional safeguard.
-
Bulk Data Collection: The GC found that U.S. bulk data collection would be subject to guardrails under EO 14086 and U.S. law, including ex post judicial review. Drawing on European Court of Human Rights (ECtHR) case law, the Court concluded these mechanisms would meet the “essential equivalence” threshold.
What This Means for Businesses
On the basis of the ruling at this point the DPF remains a valid mechanism for EU-U.S. data transfers, providing a legal basis for:
-
EU companies and organizations reliant on transatlantic data flows;
-
U.S. businesses certified under the DPF; and
-
Multinational enterprises also using the Swiss-U.S. and UK-U.S. frameworks, which mirror the EU DPF.
The ruling is also held to strengthen the position of alternative safeguards like SCCs, since EO 14086 reshaped U.S. intelligence practices more broadly.
Next Steps and Risks Ahead
While the decision clarifies the legal landscape for now, businesses should remain vigilant:
-
Appeal Possible: Latombe (or others) may appeal to the Court of Justice of the EU (CJEU) on points of law within ~2 months.
-
Political Developments: Future U.S. actions – such as changes to oversight bodies like the PCLOB – could challenge the framework’s credibility.
-
Ongoing Monitoring: The EC retains the power to suspend or amend the adequacy decision if U.S. protections are weakened.
Practical Guidance
Even though organizations may currently continue to apply the DPF on the basis of the Ruling, they should:
-
Maintain contingency plans (SCCs or BCRs) to be on the safe side;
-
in any case monitor developments closely, especially potential appeals and political shifts in the U.S.
Conclusion
For now, the GC’s decision provides businesses with some certainty. However, given the history of Safe Harbor and Privacy Shield, businesses should balance optimism with caution and prepare for potential future challenges.
This article is intended to convey general thoughts on the topic presented. It should not be relied upon as legal advice. It is not an offer to represent you, nor is it intended to create an attorney-client relationship. References to “MAYRFELD”, “the law firm”, and “legal practice” are to one or more of the MAYRFELD members. No individual who is a partner, shareholder, employee or consultant of MAYRFELD (whether or not such individual is described as a “partner”) accepts or assumes responsibility, or has any liability, to any person in respect to this communication. Any reference to a partner or is to a member, employee or consultant with equivalent standing and qualifications of MAYRFELD. The purpose of this communication is to provide information as to developments in the law. It does not contain a full analysis of the law nor does it constitute an opinion of MAYRFELD on the points of law discussed. You must take specific advice on any particular matter which concerns you.
For more information about MAYRFELD Rechtsanwälte PartG mbB, please visit us at www.mayrfeld.com.