- within Privacy topic(s)
- in Asia
- within Consumer Protection and Family and Matrimonial topic(s)
The EU–US Data Privacy Framework has withstood its first major legal challenge before the EU General Court (General Court in Case T-553/23 | Latombe v Commission). As with the two earlier frameworks – the EU–US Safe Harbor (invalidated in 2015) and the EU–US Privacy Shield (invalidated in 2020) – the legality of the current Data Privacy Framework (DPF) has been scrutinised in relation to transfers of personal data to the United States and whether it ensures adequate protection of the rights and freedom of data subjects.
Case Background:
A member of the French parliament Philippe Latombe (acting in his individual capacity and not as a Government Official) brought a challenge before the EU General Court seeking the annulment of the 2022 European Commission decision to adopt an adequacy decision for the EU-US Data Privacy Framework that allows unobstructed transfers of personal data to the US for entities and data controllers that are registered with the framework.
The main arguments:
The main arguments presented by the applicant focused on US surveillance practices arguing that the independence of oversight bodies are incompatible with the required "essentially equivalent" laws in order to grant adequacy.
Large scale bulk collection of data
Mr Latombe argued that the large-scale or bulk collection of personal data violated Articles 7 and 8 of the Charter of Fundamental Rights. The Court rejected this, holding that under U.S. law the indiscriminate bulk collection without limitations or safeguards is not permitted. Under US law only targeted collection is permitted and although the term "targeted collection" is not expressly defined in U.S. legislation, it is commonly understood to mean the gathering of intelligence aimed at a specific person, communications channel, or other identified subject by intelligence agencies pursuant to the Foreign Intelligence Surveillance Act (FISA).
Access to an independent tribunal
Another argument presented by Mr Latombe was that the DPF did not guarantee an effective remedy and access to an independent tribunal in contrast to Art. 47 of the Charter of Fundamental Rights and Art. 45(2) of GDPR.
The Court rejected the applicant's claim, confirming that the Data Protection Review Court established under the DPF meets the requirements of an independent tribunal. It stressed that members are appointed under strict eligibility rules, serve for fixed terms, may only be removed for cause, and may issue binding and final decisions. While the applicant questioned the appointment process – highlighting that judges are appointed by the Attorney General after consultation with an executive body – the Court found that these safeguards ensure independence and that the process does not undermine the tribunal's impartiality.
Sufficient protection against automated decision making
The applicant also challenged whether a sufficient legal framework exists in the US to protect data subjects, whose personal data is transferred and processed there, from automated decision-making.
The Court highlighted that US law does provide safeguards similar to GDPR for sectors where automated decision making becomes relevant (e.g. credit, employment, insurance). An important remark by the Court was that for an adequacy decision to be granted the legal regime of the specific territory and/or framework and the safeguards provided need not to be identical, but equivalent to GDPR standards to a large extent (e.g. the adequacy decision for the Israeli Protection of Privacy Law, 5741-1981 (PPL)).
The Way Forward
While it remains uncertain whether Mr. Latombe will appeal the decision and what the outcome of such an appeal might be, the ruling represents a significant milestone in the field of privacy and data protection. Unlike its predecessors – Safe Harbor (2015) and Privacy Shield (2020) – the EU-U.S. Data Privacy Framework has withstood its first major judicial challenge. This offers cautious optimism that the framework may provide the stability and predictability that businesses have long sought in facilitating Transatlantic data transfers.
The Court's endorsement of the DPF sends a strong signal that the legal and institutional reforms introduced by the United States—particularly the establishment of the Data Protection Review Court and clearer safeguards around government access to data—are capable of meeting the "essential equivalence" standard under EU law. For companies operating across borders, this provides a more secure basis for compliance and reduces the risk of sudden legal invalidations that have previously disrupted commercial operations.
From a broader perspective, the decision also reinforces the political commitment between the EU and U.S. to align privacy protections with fundamental rights while maintaining the free flow of data that underpins the $8.3 trillion Transatlantic economic relationship. Should the ruling stand on appeal, it could mark a turning point toward greater legal certainty in international data transfers, though ongoing scrutiny and potential further challenges mean that vigilance remains necessary.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
