[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article_59566":3},{"tableOfContents":4,"markDownContent":5,"htmlContent":6,"metaTitle":7,"metaDescription":8,"wordCount":9,"readTime":10,"title":7,"nbDownloads":11,"excerpt":12,"lang":13,"url":14,"intro":15,"featured":4,"state":16,"author":17,"authorId":18,"datePublication":22,"dateCreation":23,"dateUpdate":24,"mainCategory":25,"categories":41,"metaDatas":68,"imageUrl":69,"imageThumbUrls":70,"id":78},false,"On[ **3 September 2025**, the General Court of the EU ](https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf)dismissed the action brought by French MP Philippe Latombe seeking annulment of the **EU–U.S. Data Privacy Framework (DPF)**. The Court ruled **on the merits**, confirming that the DPF ensures an **“essentially equivalent” level of protection** for personal data transferred to the U.S. under GDPR rules.\r\n\r\nNote that this is a **General Court** judgment (first instance of the Court of Justice of the EU), not yet a CJEU (Court of Justice) ruling.\r\n\r\n### Background\r\n\r\n- Under **GDPR Chapter V**, international data transfers require either safeguards (SCCs, BCRs) or an adequacy decision (Art. 45 GDPR).\r\n\r\n- The Data Privacy Framework, adopted by the Commission in **July 2023**, certifies U.S. organizations and is underpinned by **Executive Order 14086**, which reformed U.S. intelligence activities and created the **Data Protection Review Court (DPRC)**.\r\n\r\n- Latombe argued that the DPRC lacked independence and that **U.S. bulk surveillance** remained unlawful, repeating criticisms that led to the invalidation of **Safe Harbor (2015)** and **Privacy Shield (2020)**.\r\n\r\n{% button href=\"https://www.dastra.eu/en/article/data-privacy-framework-dpf-third-attempt-third-failure/59126\" text=\"For further details, click here\" target=\"\\_blank\" role=\"button\" class=\"btn btn-primary\" %}\r\n\r\n### Court’s Key Findings\r\n\r\n1. **Merits over admissibility** – The Court bypassed doubts on Latombe’s standing and ruled on the substantive validity of the DPF, citing judicial efficiency.\r\n\r\n2. **Assessment at time of adoption.** Validity is judged **as of July 2023**, when the adequacy decision was adopted; later facts don’t taint the act, though the Commission must **continuously monitor** and can suspend/amend if circumstances change.\r\n\r\n3. **Essentially equivalent protection** – The ruling affirms that protections need not be identical but must be **essentially equivalent** to EU standards. This aligns with GDPR Article 45 principles.\r\n\r\n4. **Redress mechanism survives.** The **Data Protection Review Court (DPRC)** was found sufficiently **independent and impartial**, addressing a key defect that sank Privacy Shield in Schrems II.\r\n\r\n5. **Bulk data collection** – While not subject to prior judicial authorization, U.S. intelligence activities are sufficiently regulated with **ex post review** and EO 14086 safeguards, aligning with Schrems II standards.\r\n\r\n### Implications for Businesses\r\n\r\n- **Legal certainty**: The DPF remains a valid and stable transfer mechanism under GDPR.\r\n\r\n- **Broader impact**: The ruling also strengthens the Swiss–U.S. and UK–U.S. frameworks, which mirror the DPF.\r\n\r\n- **Fallback options**: Organizations should still maintain SCCs or BCRs as contingency tools in case of future legal or political challenges.\r\n\r\n- **Ongoing monitoring**: The Commission must continuously assess U.S. compliance; future developments (e.g., political interference with oversight bodies) could reopen challenges.\r\n\r\n### Reminder: the DPF in practice\r\n\r\n- The U.S. recipient **self-certifies** with the U.S. Department of Commerce and appears on the **DPF List**;\r\n\r\n- The organisation commits to the **DPF Principles**, including transparency, data minimisation, and access rights;\r\n\r\n- Certification is renewed **annually**, and made **publicly accessible**;\r\n\r\nIt is therefore essential for any data controller subject to the GDPR to **verify before any transfer** that the receiving entity is indeed on the **official list of certified organizations**, available on the **U.S. Department of Commerce website** (under *Participant Search* on [dataprivacyframework.gov](http://dataprivacyframework.gov)).\r\n\r\nFor all other non-certified recipients, it is imperative to implement **appropriate safeguards**, such as standard contractual clauses (SCCs), and ensure that data subjects have **enforceable rights** as well as **effective remedy avenues**.\r\n\r\n### Action checklist for DPOs\r\n\r\n1. **If you rely on the DPF:**\r\n\r\n   - Confirm counterparties’ **active certification** and scope; align your Art. 13/14 notices and records (RoPA) accordingly.\r\n\r\n   - Keep **SCCs/BCRs as a fallback** in playbooks for critical flows.\r\n\r\n2. **If you rely on SCCs/BCRs:**\r\n\r\n   - Refresh **transfer impact assessments** to reference EO 14086 safeguards recognized by the Court.\r\n\r\n3. **Contracts & governance:**\r\n\r\n   - Track the Commission’s **periodic reviews** and any U.S. legal shifts that could trigger re-assessment.\r\n\r\n### What’s Next\r\n\r\n- **Appeal possible**: Latombe may appeal to the CJEU, but only on points of law.\r\n\r\n- Ongoing U.S. institutional changes (e.g., oversight bodies’ composition) and EU–US political tension keep a “**déjà-vu” risk in the background**. The Commission’s ongoing **monitoring duty** is pivotal. \r\n\r\n[👉 ](https://www.dastra.eu/fr/contacts/demo)**Practical takeaway**: For now, EU–U.S. data flows are legally secure, but organizations should combine reliance on the DPF with risk management strategies to anticipate future litigation or political changes. ","\u003Cp>On\u003Ca href=\"https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf\" rel=\"nofollow\"> \u003Cstrong>3 September 2025\u003C/strong>, the General Court of the EU \u003C/a>dismissed the action brought by French MP Philippe Latombe seeking annulment of the \u003Cstrong>EU–U.S. Data Privacy Framework (DPF)\u003C/strong>. The Court ruled \u003Cstrong>on the merits\u003C/strong>, confirming that the DPF ensures an \u003Cstrong>“essentially equivalent” level of protection\u003C/strong> for personal data transferred to the U.S. under GDPR rules.\u003C/p>\r\n\u003Cp>Note that this is a \u003Cstrong>General Court\u003C/strong> judgment (first instance of the Court of Justice of the EU), not yet a CJEU (Court of Justice) ruling.\u003C/p>\r\n\u003Ch3 id=\"background\">Background\u003C/h3>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Under \u003Cstrong>GDPR Chapter V\u003C/strong>, international data transfers require either safeguards (SCCs, BCRs) or an adequacy decision (Art. 45 GDPR).\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>The Data Privacy Framework, adopted by the Commission in \u003Cstrong>July 2023\u003C/strong>, certifies U.S. organizations and is underpinned by \u003Cstrong>Executive Order 14086\u003C/strong>, which reformed U.S. intelligence activities and created the \u003Cstrong>Data Protection Review Court (DPRC)\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Latombe argued that the DPRC lacked independence and that \u003Cstrong>U.S. bulk surveillance\u003C/strong> remained unlawful, repeating criticisms that led to the invalidation of \u003Cstrong>Safe Harbor (2015)\u003C/strong> and \u003Cstrong>Privacy Shield (2020)\u003C/strong>.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cdiv class=\"content-btn-container\">\u003Ca href=\"https://www.dastra.eu/en/article/data-privacy-framework-dpf-third-attempt-third-failure/59126\" target=\"_blank\" role=\"button\" class=\"btn btn-primary\">For further details, click here\u003C/a>\u003C/div>\r\n\u003Ch3 id=\"courts-key-findings\">Court’s Key Findings\u003C/h3>\r\n\u003Col>\r\n\u003Cli>\u003Cp>\u003Cstrong>Merits over admissibility\u003C/strong> – The Court bypassed doubts on Latombe’s standing and ruled on the substantive validity of the DPF, citing judicial efficiency.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Assessment at time of adoption.\u003C/strong> Validity is judged \u003Cstrong>as of July 2023\u003C/strong>, when the adequacy decision was adopted; later facts don’t taint the act, though the Commission must \u003Cstrong>continuously monitor\u003C/strong> and can suspend/amend if circumstances change.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Essentially equivalent protection\u003C/strong> – The ruling affirms that protections need not be identical but must be \u003Cstrong>essentially equivalent\u003C/strong> to EU standards. This aligns with GDPR Article 45 principles.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Redress mechanism survives.\u003C/strong> The \u003Cstrong>Data Protection Review Court (DPRC)\u003C/strong> was found sufficiently \u003Cstrong>independent and impartial\u003C/strong>, addressing a key defect that sank Privacy Shield in Schrems II.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Bulk data collection\u003C/strong> – While not subject to prior judicial authorization, U.S. intelligence activities are sufficiently regulated with \u003Cstrong>ex post review\u003C/strong> and EO 14086 safeguards, aligning with Schrems II standards.\u003C/p>\r\n\u003C/li>\r\n\u003C/ol>\r\n\u003Ch3 id=\"implications-for-businesses\">Implications for Businesses\u003C/h3>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Legal certainty\u003C/strong>: The DPF remains a valid and stable transfer mechanism under GDPR.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Broader impact\u003C/strong>: The ruling also strengthens the Swiss–U.S. and UK–U.S. frameworks, which mirror the DPF.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Fallback options\u003C/strong>: Organizations should still maintain SCCs or BCRs as contingency tools in case of future legal or political challenges.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Ongoing monitoring\u003C/strong>: The Commission must continuously assess U.S. compliance; future developments (e.g., political interference with oversight bodies) could reopen challenges.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Ch3 id=\"reminder-the-dpf-in-practice\">Reminder: the DPF in practice\u003C/h3>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>The U.S. recipient \u003Cstrong>self-certifies\u003C/strong> with the U.S. Department of Commerce and appears on the \u003Cstrong>DPF List\u003C/strong>;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>The organisation commits to the \u003Cstrong>DPF Principles\u003C/strong>, including transparency, data minimisation, and access rights;\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Certification is renewed \u003Cstrong>annually\u003C/strong>, and made \u003Cstrong>publicly accessible\u003C/strong>;\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>It is therefore essential for any data controller subject to the GDPR to \u003Cstrong>verify before any transfer\u003C/strong> that the receiving entity is indeed on the \u003Cstrong>official list of certified organizations\u003C/strong>, available on the \u003Cstrong>U.S. Department of Commerce website\u003C/strong> (under \u003Cem>Participant Search\u003C/em> on \u003Ca href=\"http://dataprivacyframework.gov\" rel=\"nofollow\">dataprivacyframework.gov\u003C/a>).\u003C/p>\r\n\u003Cp>For all other non-certified recipients, it is imperative to implement \u003Cstrong>appropriate safeguards\u003C/strong>, such as standard contractual clauses (SCCs), and ensure that data subjects have \u003Cstrong>enforceable rights\u003C/strong> as well as \u003Cstrong>effective remedy avenues\u003C/strong>.\u003C/p>\r\n\u003Ch3 id=\"action-checklist-for-dpos\">Action checklist for DPOs\u003C/h3>\r\n\u003Col>\r\n\u003Cli>\u003Cp>\u003Cstrong>If you rely on the DPF:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>Confirm counterparties’ \u003Cstrong>active certification\u003C/strong> and scope; align your Art. 13/14 notices and records (RoPA) accordingly.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Keep \u003Cstrong>SCCs/BCRs as a fallback\u003C/strong> in playbooks for critical flows.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>If you rely on SCCs/BCRs:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Refresh \u003Cstrong>transfer impact assessments\u003C/strong> to reference EO 14086 safeguards recognized by the Court.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>\u003Cstrong>Contracts &amp; governance:\u003C/strong>\u003C/p>\r\n\u003Cul>\r\n\u003Cli>Track the Commission’s \u003Cstrong>periodic reviews\u003C/strong> and any U.S. legal shifts that could trigger re-assessment.\u003C/li>\r\n\u003C/ul>\r\n\u003C/li>\r\n\u003C/ol>\r\n\u003Ch3 id=\"whats-next\">What’s Next\u003C/h3>\r\n\u003Cul>\r\n\u003Cli>\u003Cp>\u003Cstrong>Appeal possible\u003C/strong>: Latombe may appeal to the CJEU, but only on points of law.\u003C/p>\r\n\u003C/li>\r\n\u003Cli>\u003Cp>Ongoing U.S. institutional changes (e.g., oversight bodies’ composition) and EU–US political tension keep a “\u003Cstrong>déjà-vu” risk in the background\u003C/strong>. The Commission’s ongoing \u003Cstrong>monitoring duty\u003C/strong> is pivotal.\u003C/p>\r\n\u003C/li>\r\n\u003C/ul>\r\n\u003Cp>\u003Ca href=\"https://www.dastra.eu/fr/contacts/demo\">👉 \u003C/a>\u003Cstrong>Practical takeaway\u003C/strong>: For now, EU–U.S. data flows are legally secure, but organizations should combine reliance on the DPF with risk management strategies to anticipate future litigation or political changes.\u003C/p>\r\n","EU–U.S. Data Flows Secured by Court Ruling","EU Court upholds the EU–U.S. Data Privacy Framework, securing legal certainty for transatlantic data transfers.",738,4,0,null,"en","eu-us-data-flows-secured-by-court-ruling","On 3 September 2025, the EU General Court dismissed Latombe’s challenge and upheld the EU–U.S. Data Privacy Framework. Discover what this means for cross-border data transfers.","Published",{"id":18,"displayName":19,"avatarUrl":20,"bio":12,"blogUrl":12,"color":12,"userId":18,"creationDate":21},20352,"Leïla Sayssa","https://static.dastra.eu/tenant-3/avatar/20352/TDYeY3C8Rz1lLE/dpo-avatar-h01-150.png","2025-03-03T11:08:22","2025-09-04T15:47:00","2025-09-04T15:47:59.3888277","2025-09-04T16:18:53.4706653",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":31},2,"Blog","A list of curated articles provided by the community","article","#28449a",[32,35,38],{"lang":33,"name":27,"description":34},"fr","Une liste d'articles rédigés par la communauté",{"lang":36,"name":27,"description":37},"es","Una lista de artículos escritos por la comunidad",{"lang":39,"name":27,"description":40},"de","Eine Liste von Artikeln, die von der Community verfasst wurden",[42,47],{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":43},[44,45,46],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},{"id":48,"name":49,"description":50,"url":51,"color":52,"parentId":26,"count":12,"imageUrl":12,"parent":53,"order":58,"translations":59},69,"Expertise","Gain insights from our experts on GDPR compliance, data protection, and privacy challenges. In-depth articles, professional analysis, and real-world best practices.","indepth","#000000",{"id":26,"name":27,"description":28,"url":29,"color":30,"parentId":12,"count":12,"imageUrl":12,"parent":12,"order":11,"translations":54},[55,56,57],{"lang":33,"name":27,"description":34},{"lang":36,"name":27,"description":37},{"lang":39,"name":27,"description":40},5,[60,62,65],{"lang":33,"name":49,"description":61},"Bénéficiez des conseils de nos experts sur la conformité RGPD, la protection des données et les enjeux privacy. Articles de fond, analyses et retours d’expérience métier.",{"lang":39,"name":63,"description":64},"Fachwissen","Entdecken Sie die Artikel unserer DSGVO-Experten",{"lang":36,"name":66,"description":67},"Experiencia","Descubre los artículos de nuestros expertos en Privacy",[],"https://static.dastra.eu/content/c6658b23-cdb6-40ae-b025-049e0ab9b410/visuel-article-36-original.jpg",[71,72,73,74,75,76,77],"https://static.dastra.eu/content/c6658b23-cdb6-40ae-b025-049e0ab9b410/visuel-article-36-1000.webp","https://static.dastra.eu/content/c6658b23-cdb6-40ae-b025-049e0ab9b410/visuel-article-36.webp","https://static.dastra.eu/content/c6658b23-cdb6-40ae-b025-049e0ab9b410/visuel-article-36-1500.webp","https://static.dastra.eu/content/c6658b23-cdb6-40ae-b025-049e0ab9b410/visuel-article-36-800.webp","https://static.dastra.eu/content/c6658b23-cdb6-40ae-b025-049e0ab9b410/visuel-article-36-600.webp","https://static.dastra.eu/content/c6658b23-cdb6-40ae-b025-049e0ab9b410/visuel-article-36-300.webp","https://static.dastra.eu/content/c6658b23-cdb6-40ae-b025-049e0ab9b410/visuel-article-36-100.webp",59566]