European General Court Confirms Validity Of The EU–U.S. Data Privacy Framework

On September 3, 2025, the European General Court ("EGC") issued a highly anticipated judgment refusing to annul the European Commission's July 2023 adequacy decision for the EU–U.S. Data Privacy Framework ("DPF"). The action, brought by French Member of Parliament Philippe Latombe acting in his personal capacity, alleged that the DPF failed to guarantee an "essentially equivalent" level of protection to that provided under the EU General Data Protection Regulation ("GDPR"), particularly in relation to (i) the independence of the U.S. redress mechanism and (ii) the permissibility of bulk data collection by U.S. intelligence agencies.

The EGC dismissed each of Mr. Latombe's substantive claims, holding that the Commission's 2023 assessment of U.S. law was neither manifestly erroneous nor inconsistent with the standards articulated by the Court of Justice of the European Union ("CJEU") in Schrems I and Schrems II. As a result, the more than 3,400 U.S. organizations that have self-certified to the DPF may continue to rely on that certification as a standalone legal basis for receiving personal data from the European Economic Area ("EEA") without immediate recourse to Standard Contractual Clauses ("SCCs"), Binding Corporate Rules ("BCRs"), or supplementary transfer impact assessments.

The Court's Analysis

Redress Mechanism. The judgment first addressed the Data Protection Review Court ("DPRC"), created by U.S. Executive Order 14086 to provide EU data subjects with binding redress. The EGC emphasized that the DPRC's fixed terms, removal protections, ability to obtain classified evidence, and obligation to issue reasoned written decisions satisfied the independence and impartiality requirements of EU law and Article 47 of the Charter of Fundamental Rights. The Court rejected arguments that the DPRC was structurally beholden to the U.S. Executive Branch, noting that the Attorney General's limited procedural role did not translate into substantive influence over outcomes.

Surveillance Practices. Turning to government surveillance, the EGC examined whether U.S. intelligence agencies engage in indiscriminate bulk collection. Relying on the Commission's record, the Court cited statutory and policy safeguards—including 50 U.S.C. §§ 1881a and 1861, Presidential Policy Directive 28, and Executive Order 14086—that restrict bulk collection to scenarios where targeted collection is infeasible and only for specified national security objectives. Oversight is multi-layered, with checks by the Foreign Intelligence Surveillance Court, internal compliance structures, congressional committees, the independent Privacy and Civil Liberties Oversight Board ("PCLOB"), and ex post review by the DPRC. Together, these measures were deemed sufficient to meet the necessity and proportionality requirements in Articles 7, 8, and 52(1) of the Charter. Importantly, the Court reaffirmed that the benchmark is "essential equivalence," not identical protection, declining to impose a stricter parity standard.

Procedural Posture. Although the EGC did not definitively resolve Mr. Latombe's standing, it chose to proceed "in the interests of the proper administration of justice." This procedural choice is notable: a CJEU appeal could re-open the standing question and prolong litigation timelines even if the substantive findings are upheld.

Next Steps: Potential Appeal

Under Article 56 of the Statute of the CJEU, the decision may be appealed within two months of notification. If appealed, the CJEU could revisit:

• whether the Commission correctly applied the "essential equivalence" test to the revised U.S. legal framework; and
• whether post-2023 developments—such as changes in the PCLOB's composition or amendments to U.S. surveillance law—affect the adequacy finding's continued validity.

Pending such an appeal, however, the July 2023 adequacy decision remains fully operative.

Practical Implications for Businesses

• Continued Reliance on DPF. Organizations self-certified to the DPF may continue to rely on that mechanism for EEA-to-U.S. transfers without the need for SCCs, BCRs, or TIAs.
• Hybrid Transfer Programs. Businesses that combine DPF with other tools (e.g., onward transfers from the U.S. to third countries) should monitor appellate proceedings but need not amend existing assessments now.
• Certification Incentives. Entities contemplating certification gain increased certainty that the DPF will remain viable at least through any appellate process, likely extending into 2026.
• Ongoing Monitoring. The Commission retains a legal duty to monitor U.S. developments and adjust the adequacy decision as necessary. Companies should expect periodic reviews to generate new guidance or obligations.

The EGC's ruling offers stability without finality. For now, the DPF provides a secure and efficient transfer mechanism, but its future remains subject to appellate review and ongoing political and regulatory oversight. Prudent companies will continue to document reliance on the DPF while preserving fallback transfer tools and monitoring EU and U.S. legal developments closely.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.