On September 3, 2025, the General Court of the European Union issued a ruling upholding the validity of the EU–U.S. Data Privacy Framework (“DPF”). This decision brings some stability to transatlantic data flows, though potential appeals may still arise.
Background
The DPF, adopted by the European Commission in 2023, was designed to replace the Safe Harbor and Privacy Shield frameworks, both of which were previously invalidated based on concerns that U.S. surveillance practices lacked adequate safeguards for EU citizens’ personal data.
Following the adoption of the DPF, French lawmaker Philippe Latombe challenged the framework, arguing that it failed to meet EU data protection standards. Latombe argued that: (i) the U.S. Data Protection Review Court (“DPRC”) depends on the executive and is neither impartial nor independent; and (ii) the practice of U.S. intelligence agencies collecting bulk personal data in transit from the European Union is illegal as it lacks prior authorization of a court or independent administrative body.
The General Court’s Decision
The General Court dismissed Latombe’s action for annulment, concluding that, at the time of adoption, the United States ensured “an adequate level of protection” for EU personal data. The Court decided that the DPRC is independent, counter to Latombe’s argument. Per the General Court, several safeguards ensure its independence, and judges may only be dismissed for cause by the Attorney General. Additionally, the court held that bulk collection of data does not require prior authorization but rather must be subject to ex post judicial review. Such review is provided by the DPRC.
Implications for Businesses
The ruling provides increased legal certainty for companies that rely on transatlantic data transfers. However, an appeal to the Court of Justice of the European Union (“CJEU”) is still possible. Given the CJEU’s decision on previous adequacy frameworks, the DPF may still face a challenge. And, privacy activist Max Schrems, whose challenges struck down the prior two frameworks, has already voiced skepticism by suggesting that a “broader review of U.S. surveillance law could produce a different outcome.” Facing such challenges, companies should maintain a flexible compliance program.