On September 3, 2025, the General Court of the European Union issued a landmark ruling in case T-553/23, involving the Member of the European Parliament Philippe Latombe. In his appeal, Latombe sought the annulment of the Data Privacy Framework (DPF) between the European Union and the United States, the legal framework governing the transfer of personal data from the EU to the USA.
Latombe challenged the validity of the implementing decision (EU) 2023/1795 adopted by the European Commission (EC) on July 10, 2023, which recognized the adequacy of the level of data protection under the EU-US framework for the protection of personal data, namely the DPF.
Article 45(1) of the GDPR provides that a transfer of personal data to a third country (i.e., a country outside the EU/EEA) may be authorized by a Commission decision establishing that the third country ensures an adequate level of data protection. This provision is set out in Chapter V of the Regulation and, as previously indicated by the Court of Justice of the EU (see previous CJUE rulings Schrems I, C-362/14 invalidating the “Safe Harbor” and Schrems II, C-311/18 invalidating the “Privacy Shield”), its overall objective is to ensure the continuous high level of protection of data guaranteed by EU law under the GDPR, even when data are transferred outside the Union.
In its recent decision, the General Court of the European Union dismissed Latombe's appeal, thereby upholding the validity of the adequacy decision that continues to permit the transfer of personal data from the EU to the United States. The Court found that the safeguards provided by the Data Privacy Framework sufficiently protect fundamental privacy rights, and that the protections offered by the US system are deemed adequate.
In essence, the judges ruled that the Data Privacy Framework (DPF) remains valid and that personal data transfers can continue under it without breaching European data protection laws.
Given that the DPF plays a vital role in an era where transatlantic data flows are central to the digital and commercial operations of businesses and individuals, this ruling offers reassurance to companies relying on the framework for their data transfers to the U.S.
However, the Court also emphasized that challenges related to data protection have not been fully resolved, and ongoing monitoring of the effective implementation of security measures is essential.
In fact, Mr. Latombe still has the right to appeal the General Court’s decision before the Court of Justice of the European Union, and it remains uncertain whether the higher court would follow the General Court’s reasoning.
In recent months, decisions by the Trump administration have introduced new complexities to the Data Privacy Framework. Notably, Trump pushed for the removal of key members of the Privacy and Civil Liberties Oversight Board (PCLOB), the independent body tasked with supervising U.S. surveillance activities and serving as a critical safeguard for the DPF’s validity. This move has sparked concerns that the protections guaranteed by the U.S. framework could be undermined, putting European trust in the current regime at risk.
Some privacy experts and activists worry that, although the EU General Court upheld the Data Privacy Framework, ongoing political and legislative developments in the United States could open the door to new appeals or even lead to the framework’s invalidation by the European Court of Justice. Max Schrems, founder of the privacy advocacy group NOYB and known for successfully challenging previous EU-US data transfer agreements, stated: “This was a rather narrow challenge. We are convinced that a broader review of US law – especially the use of Executive Orders by the Trump administration should yield a different result. We are reviewing our options to bring such a challenge. While the Commission may have gained another year, we still lack any legal certainty for users and businesses.”(source: https://noyb.eu/en/eu-us-data-transfers-first-reaction-latombe-case).
Given the uncertainty of the current geopolitical landscape, companies should remain vigilant and closely monitor for any potential appeals or future legal challenges. In conclusion, while the decision reinforces transatlantic cooperation on privacy, it also underscores the ongoing need for careful oversight to ensure that the personal data of European citizens is always handled with the utmost care and protection.