On September 3, the General Court of the European Union published its much-anticipated judgment in Latombe v. Commission (Case T-553/23), rejecting the challenge to the European Commission's 2023 adequacy decision for transfers of personal data to the United States.
In doing so, the court has confirmed, at least for now, that the EU-U.S. Data Privacy Framework (DPF) provides a level of protection "essentially equivalent" to that guaranteed within the EU.
Background
The origins of this case trace back to July 10, 2023, when the European Commission adopted Implementing Decision (EU) 2023/1795. This decision marked a significant milestone, as it declared the United States to be providing an adequate level of protection for personal data transferred from the EU, in accordance with Chapter V of the GDPR.
The adequacy decision was the result of extensive legal scrutiny, especially in light of the Court of Justice's previous invalidations of earlier frameworks such as Safe Harbour and Privacy Shield. The 2023 decision was affected by substantial regulatory changes in the United States, most notably Executive Order 14086, which introduced new privacy safeguards for intelligence activities and established the Data Protection Review Court (DPRC) as an independent redress mechanism for EU citizens.
Despite these reforms, the adequacy decision was promptly challenged by a member of the French Parliament, Philippe Latombe. He argued that the DPRC lacked true independence and impartiality, and that the bulk collection of EU personal data by U.S. intelligence agencies was still not sufficiently limited or subject to adequate oversight.
These concerns echoed those raised in the landmark Schrems I and Schrems II cases, which had previously led to the invalidation of earlier transatlantic data transfer frameworks. Nevertheless, after a detailed examination of the new legal and institutional safeguards, the General Court dismissed Latombe's action in its entirety, upholding the European Commission's assessment.
The court's legal reasoning
1. Independence of the DPRC
The cornerstone of the applicant's case was the alleged structural dependence of the DPRC on the U.S. executive branch. The court examined the structure and functioning of the DPRC in detail. It noted that the appointment process for DPRC judges is multi-layered, with fixed terms of office and the possibility of dismissal only for cause, which together serve to insulate the judges from improper influence.
Furthermore, U.S. law imposes statutory obligations on both the attorney general and intelligence agencies, explicitly prohibiting them from interfering with the DPRC's work. The court also highlighted the European Commission's ongoing responsibility to monitor the application of the
DPF and, if necessary, to suspend, amend, or repeal the adequacy decision should future changes in U.S. law or practice undermine these safeguards.
Taken together, these factors led the court to conclude that the DPRC meets the EU standard of independent and impartial redress.
2. Bulk collection and proportionality
Addressing concerns over bulk signals-intelligence collection, the court reiterated that Schrems II does not demand ex ante judicial authorization, rather, it requires that any bulk collection be subject to meaningful, ex post judicial oversight.
The court also addressed the issue of bulk collection of personal data by U.S. intelligence agencies. It found that, under U.S. law, such collection is restricted to what is considered "necessary and proportionate" for clearly defined national-security purposes.
Importantly, these activities are subject to review by the DPRC, which has the authority to order remedial measures in cases where violations are identified. Accordingly, the court concluded that the safeguards now in place in the United States satisfy the "essential equivalence" test established by the Court of Justice of the European Union (CJEU).
Practical next steps
For businesses, the General Court's ruling brings a period of relative stability, as it firmly establishes the legal basis for the DPF and provides companies and their legal teams with a greater degree of certainty when relying on the DPF for transatlantic data transfers. However, this stability is not absolute.
The European Commission is required to continuously monitor U.S. practices, and any significant changes, whether legislative or in the behavior of U.S. agencies, could result in a partial or complete suspension of the adequacy decision. Companies should therefore remain vigilant, keeping an eye on annual European Commission reports and the possibility of renewed legal challenges before the CJEU.
It is also important to note that the judgment does not eliminate the need for transfer impact assessments when using alternative transfer mechanisms, such as Standard Contractual Clauses, especially for U.S. data recipients who have not self-certified under the DPF.
Conclusion
The General Court's decision provides clarity and a measure of legal certainty for organizations that depend on EU-U.S. data flows. While opponents of the DPF are likely to persist, potentially escalating the matter to the Court of Justice, the judgment underscores the court's willingness to support the European Commission's risk-based approach to adequacy. Companies should take advantage of this period of respite, but it is advisable to remain cautious and vigilant as the landscape of international data transfers remains very dynamic.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
