ARTICLE
7 November 2025

EU General Court Upholds EU–US Data Privacy Framework

L
Liedekerke

Contributor

Liedekerke logo

Founded in 1965 by lawyers committed to legal excellence, Liedekerke is an independent law firm recognised for its leadership and expertise and with an international reputation built upon an unchallenged expertise.

A premium Belgian business law firm for 60 years with offices in Antwerp, Brussels, London, Kinshasa and Kigali, our firm is dedicated to providing a world-class service by consistently delivering the finest assistance and guidance.

The firm has a strong advisory practice based on sector expertise and an in-depth knowledge of Belgian and European law. As an essential complement to its advisory activities, it represents clients in complex litigation before national, European and international courts, both judicial and arbitral, the Court of Cassation, the Council of State and the Belgian Constitutional Courts.

Explore Firm Details
On 3 September 2025, the EU General Court (T-553/23, Latombe v Commission) dismissed an action challenging the European Commission's adequacy decision 2023/1795 of July 2023 on the EU–US Data Privacy Framework.
Belgium Privacy
Liedekerke Wolters Waelbroeck Kirkpatrick
Liedekerke are most popular:
  • within Energy and Natural Resources topic(s)
  • with readers working within the Banking & Credit industries

On 3 September 2025, the EU General Court (T-553/23, Latombe v Commission) dismissed an action challenging the European Commission's adequacy decision 2023/1795 of July 2023 on the EU–US Data Privacy Framework.

The applicant argued that the framework failed to provide EU citizens with a level of protection "essentially equivalent" to that guaranteed under EU law, a standard that had led the Court of Justice to invalidate both the Safe Harbour (2015) and the Privacy Shield (2020) in the well-known Schrems I and Schrems II rulings.

The Court, however, confirmed that the reforms introduced by the United States, in particular Executive Order 14086 and the creation of the Data Protection Review Court (DPRC), provide sufficient guarantees of independence and impartiality. It held that the DPRC qualifies as an effective redress mechanism in line with Article 47 of the Charter of Fundamental Rights.

The Court also addressed the issue of bulk collection of personal data by US intelligence agencies. It underlined that Schrems II does not require prior authorisation by an independent authority but only effective ex post judicial review. Since US law subjects these activities to such oversight by the DPRC, the Court found that the level of protection is essentially equivalent to that guaranteed under EU law.

By rejecting the applicant's claims, the General Court has upheld the Commission's adequacy decision as lawful.

Takeaway

This ruling brings welcome stability to transatlantic data transfers. For businesses, the decision means that data flows to the US can continue under the EU–US Data Privacy Framework with greater legal certainty. At the same time, companies must remain attentive to GDPR compliance: robust technical and organisational safeguards remain essential.

The Commission will continue to monitor the framework and retains the power to suspend, amend or revoke the framework if US protections were to weaken. It also remains to be seen whether the applicant will choose to appeal the General Court's decision before the Court of Justice.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Person photo placeholder
Liedekerke Wolters Waelbroeck Kirkpatrick
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More