Key Takeaways

• The EU General Court ruled that the US ensures an adequate level of protection for EU personal data.
• The DPF remains valid — companies can rely on it for compliant data transfers.
• Legal uncertainty continues: the ruling may be appealed.
• Privacy advocates remain unconvinced; businesses breathe a sigh of relief.

From Schrems II to the New Data Privacy Framework

Past EU-US data transfer frameworks – Safe Harbour and Privacy Shield – were invalidated by the Court of Justice in the well-known Schrems I and Schrems II cases. Those rulings cited insufficient privacy safeguards and lack of redress mechanisms for EU citizens.

In response, the US adopted Executive Order 14086 and related regulations in 2022, creating new privacy safeguards and a Data Protection Review Court (DPRC) to oversee intelligence-related data collection. Based on these reforms, the European Commission adopted Decision (EU) 2023/1795, confirming adequacy.

In essence, the EU-U.S. Data Privacy Framework (“DPF”) is a self-certification mechanism for companies in the U.S. The European Commission considers that transfers of personal data from the EEA to companies in the U.S. certified under the DPF enjoy an adequate level of protection.

Why Philippe Latombe Challenged the DPF

French MP Philippe Latombe was seeking to annul the DPF, arguing that it didn't fully protect EU citizens’ personal data as required under EU law. His main concerns were:

• Bulk Data Collection: U.S. intelligence agencies can still access large amounts of EU citizens’ data, which Latombe says violates the GDPR’s principles of data minimisation and proportionality.
• Limited Remedies: The DPF’s Data Protection Review Court, the key body for complaints, lacks true independence and does not offer strong legal remedies for EU individuals.
• Procedural Issues: Latombe claims the EU failed to properly notify its Member States about the DPF, breaching EU rules.
• Other Safeguards: He also highlights weak protections against security risks and automated decisions.

Overall, Latombe argued that the DPF repeats the problems found in earlier data transfer frameworks struck down Schrems II, and fails to meet EU privacy standards.

What the General Court Said About US Privacy Protections

The General Court dismissed all of Latombe’s claims.

In so doing, it confirms that, on the date of adoption of the contested decision, the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country (excerpt from the Court's press release)

It specifically found that:

• Data Protection Review Court (DPRC) offered sufficient guarantees of independence and impartiality. It rejected arguments that the DPRC was dependent on the executive, citing safeguards in the appointment and dismissal of judges, the binding and final nature of its decisions, and oversight by the independent Privacy and Civil Liberties Oversight Board (PCLOB). The Court also clarified that EU law does not require a "judicial court" in the strict sense, but rather any "body" providing substantially equivalent guarantees.
• Regarding the bulk collection of personal data by US intelligence agencies, the Court concluded that the US framework provided an adequate level of protection. It clarified that the Schrems II judgment did not mandate prior judicial or administrative authorization for bulk collection, but rather required, at a minimum, ex post judicial review. It found that  US law, specifically E.O. 14086 and the AG Regulation, subjects signals intelligence activities, including bulk collection, to ex post judicial oversight by the DPRC, whose decisions are final and binding.

What the Court Didn’t Say: The Standing Question

One of the biggest uncertainties in the Latombe case was whether Mr. Latombe had the legal standing to bring an action for annulment. The European Commission contested the admissibility of his claim, while Mr. Latombe consistently argued that his action was admissible.

The General Court ultimately chose not to rule on this procedural issue. Instead, it exercised its discretion to assess "whether the proper administration of justice justifies dismissing an action on its merits, without first ruling on its admissibility." The Court proceeded directly to evaluate the substance of the case — which it ultimately declared unfounded.

Privacy vs. Business Certainty: Divided Reactions

The General Court's ruling sparked sharply divided reactions, highlighting the ongoing tension between the demands of the digital economy and the principles upheld by privacy advocates.

From the perspective of privacy advocates, the judgment is seen as a temporary and insufficient solution. Max Schrems — whose earlier legal challenges brought down both the Safe Harbour and Privacy Shield frameworks — argued that the Data Privacy Framework (DPF) is essentially identical to its predecessors. Max Scherms' NGO NOYB expressed “surprise” at the outcome and criticized the General Court for what it described as a “massive departure” from existing CJEU case law.

Max Schrems: This was a rather narrow challenge. We are convinced that a broader review of US law – especially the use of Executive Orders by the Trump administration should yield a different result. We are reviewing our options to bring such a challenge. While the Commission may have gained another year, we still lack any legal certainty for users and businesses.

In contrast, the business community welcomed the ruling with relief. Industry groups and law firms interpreted the judgment as a strong endorsement of the DPF’s validity. For companies reliant on smooth transatlantic data flows, the decision brings a much-needed period of legal certainty. Experts warned that an annulment would have created “digital chaos”, forcing businesses to fall back on more complex and burdensome mechanisms like Standard Contractual Clauses (SCCs).

What Happens Next in the DPF Legal Saga

The General Court’s ruling is not final. It may be appealed to the Court of Justice of the European Union (CJEU), though any appeal must be limited to points of law. Such an appeal must be filed within two months and ten days from the date the decision was notified.

Follow Streamlex’s DPF Tracker for summaries and timely updates.

🗂 Unofficial English Translation of the Judgment

The General Court’s judgment in Case T-553/23 – Latombe v. European Commission is currently available only in French. Below is an unofficial English translation provided for informational purposes. It is not legally binding and does not replace the official version published by the Court.

Disclaimer: This is an unofficial translation of the General Court’s judgment in Case T-553/23. It is provided solely for convenience and understanding. In case of discrepancies, the official French version prevails. Streamlex does not guarantee the legal accuracy of this translation.

Frequently Asked Questions

• Can EU companies still transfer data to the US under the DPF? Yes. The DPF remains a valid legal basis for data transfers to US-certified organizations.
• Is the DPF different from the Privacy Shield? Yes, the DPF includes new safeguards, such as the creation of the Data Protection Review Court (DPRC) and stricter oversight mechanisms.
• Could the DPF be invalidated in the future? Potentially. Privacy advocates like Max Schrems are considering further legal action, and appeals in Latombe case may be filed.
• What are alternatives if the DPF is struck down? Companies would likely need to rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), both of which are more complex and require additional safeguards or supplementary measures (encryption, pseudonymization, etc.).