EU-US Data Privacy Framework Survives Legal Challenge: What the Latombe Decision Means for International Data Transfers

On 3^rd September 2025, the General Court of the European Union dismissed an action for annulment brought against the EU–US Data Privacy Framework (DPF), thereby upholding the framework's validity. This decision means that companies can continue transferring personal data to the United States under the current system, although the ruling can still be appealed to a higher court.

The EU data protection regime imposes strict rules on personal data transfers outside the EEA. Several legal mechanisms exist to enable such transfers, including Standard Contractual Clauses and adequacy decisions under Article 45 of the General Data Protection Regulation (GDPR). An adequacy decision means that another country, sector, or international organisation has been found  to offer an “essentially equivalent” level of data protection. In 2022, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework. Philippe Latombe, a French MP, brought proceedings before the EU General Court seeking annulment of the Commission's adequacy decision. 

Sufficient control over bulk data collection

Mr Latombe argued that ‘widespread’ and ‘bulk’ collection of personal data infringed Arts. 7 & 8 of the Charter of Fundamental Rights. The Court dismissed this finding that US law provides substantially equivalent protection with clear legal framework, targeted collection prioritized over bulk collection and specific limitations and purposes for bulk collection.  The Court stated that US laws do not allow bulk collection of personal data inside the US, instead only permitting targeted collection (para 84-86).  The Court found that there is nothing in Schrems II to suggest that bulk collection must necessarily be subject to prior authorisation by an independent judicial authority. Rather, it must, at a minimum, be subject to ex post judicial review. This criterion was met (para 104-105).

DPF does provide access to an independent tribunal

Mr Latombe argued that there was an infringement of Art. 47 of the Charter of Fundamental Rights and Art. 45(2) of GDPR, as there was no guarantee of  an effective remedy and access to an independent tribunal. 

The Court found that the Data Protection Review Court did amount to an independent tribunal, as the judges of the appeal body are appointed with strict criteria, serve fixed terms, can only be removed for cause, and their decisions are binding and final (para 43). The applicant questioned the appointment process of the judges as they are appointed by the Attorney General after consulting with an executive body. The Court found that the appointment process of these judges does not compromise the appeal body’s independence given the appointment criteria and removal protections (para 76). The applicant also claimed the appeal body wasn't "established by law"; the Court ruled that what matters is whether sufficient guarantees exist for independence and impartiality, not the formal nature of the establishing document (para 71).

Provisions on automated individual decisions: not determinative

The applicant argued that the US law doesn’t have a framework in place for automated decision-making. The Court noted that US law does offer sectoral protections similar to GDPR in areas like credit, employment, housing, and insurance where automated decisions are most likely (para 175). In any event, adequacy decisions do not require identical protection, but rather substantially equivalent protection through potentially different means (para 178).  

US protections for security: also not determinative

The applicant argued that US requirements for security of data were too vague. The Court again found that it is not necessary for the third country to provide identical protection to that in the EU.

The Court could decide on the merits, irrespective of whether Mr. Latombe was eligible to bring the case

The Commission submitted that Mr. Latombe did not have legal standing.  When Max Schrems challenged Safe Harbor and Privacy Shield the request to the CJEU was made not by Schrems himself but by the Irish court hearing his case. Latombe applied directly to the General Court under Article 263 of the Treaty on the Functioning of the European Union. According to CJEU case law, such an application is only admissible when there is a direct and individual concern for the applicant; a higher bar for standing.

The General Court did not rule on the procedural question. It held that the Court may dismiss an action for annulment on its merits without first ruling on admissibility, where doing so is justified by the proper administration of justice (para 14 and 15).