On 3 September 2025, the General Court of the EU dismissed the action brought by French MP Philippe Latombe seeking annulment of the EU–U.S. Data Privacy Framework (DPF). The Court ruled on the merits, confirming that the DPF ensures an “essentially equivalent” level of protection for personal data transferred to the U.S. under GDPR rules.
Note that this is a General Court judgment (first instance of the Court of Justice of the EU), not yet a CJEU (Court of Justice) ruling.
Background
Under GDPR Chapter V, international data transfers require either safeguards (SCCs, BCRs) or an adequacy decision (Art. 45 GDPR).
The Data Privacy Framework, adopted by the Commission in July 2023, certifies U.S. organizations and is underpinned by Executive Order 14086, which reformed U.S. intelligence activities and created the Data Protection Review Court (DPRC).
Latombe argued that the DPRC lacked independence and that U.S. bulk surveillance remained unlawful, repeating criticisms that led to the invalidation of Safe Harbor (2015) and Privacy Shield (2020).
Court’s Key Findings
Merits over admissibility – The Court bypassed doubts on Latombe’s standing and ruled on the substantive validity of the DPF, citing judicial efficiency.
Assessment at time of adoption. Validity is judged as of July 2023, when the adequacy decision was adopted; later facts don’t taint the act, though the Commission must continuously monitor and can suspend/amend if circumstances change.
Essentially equivalent protection – The ruling affirms that protections need not be identical but must be essentially equivalent to EU standards. This aligns with GDPR Article 45 principles.
Redress mechanism survives. The Data Protection Review Court (DPRC) was found sufficiently independent and impartial, addressing a key defect that sank Privacy Shield in Schrems II.
Bulk data collection – While not subject to prior judicial authorization, U.S. intelligence activities are sufficiently regulated with ex post review and EO 14086 safeguards, aligning with Schrems II standards.
Implications for Businesses
Legal certainty: The DPF remains a valid and stable transfer mechanism under GDPR.
Broader impact: The ruling also strengthens the Swiss–U.S. and UK–U.S. frameworks, which mirror the DPF.
Fallback options: Organizations should still maintain SCCs or BCRs as contingency tools in case of future legal or political challenges.
Ongoing monitoring: The Commission must continuously assess U.S. compliance; future developments (e.g., political interference with oversight bodies) could reopen challenges.
Reminder: the DPF in practice
The U.S. recipient self-certifies with the U.S. Department of Commerce and appears on the DPF List;
The organisation commits to the DPF Principles, including transparency, data minimisation, and access rights;
Certification is renewed annually, and made publicly accessible;
It is therefore essential for any data controller subject to the GDPR to verify before any transfer that the receiving entity is indeed on the official list of certified organizations, available on the U.S. Department of Commerce website (under Participant Search on dataprivacyframework.gov).
For all other non-certified recipients, it is imperative to implement appropriate safeguards, such as standard contractual clauses (SCCs), and ensure that data subjects have enforceable rights as well as effective remedy avenues.
Action checklist for DPOs
If you rely on the DPF:
Confirm counterparties’ active certification and scope; align your Art. 13/14 notices and records (RoPA) accordingly.
Keep SCCs/BCRs as a fallback in playbooks for critical flows.
If you rely on SCCs/BCRs:
- Refresh transfer impact assessments to reference EO 14086 safeguards recognized by the Court.
Contracts & governance:
- Track the Commission’s periodic reviews and any U.S. legal shifts that could trigger re-assessment.
What’s Next
Appeal possible: Latombe may appeal to the CJEU, but only on points of law.
Ongoing U.S. institutional changes (e.g., oversight bodies’ composition) and EU–US political tension keep a “déjà-vu” risk in the background. The Commission’s ongoing monitoring duty is pivotal.
👉 Practical takeaway: For now, EU–U.S. data flows are legally secure, but organizations should combine reliance on the DPF with risk management strategies to anticipate future litigation or political changes.