For the first time, an agreement between the EU and the US on the transfer of personal data has withstood judicial scrutiny by the European courts. The judgment in Latombe v. European Commission (General Court of the European Union, 3 September 2025) confirms that the EU–US Data Privacy Framework (DPF) ensures an adequate level of protection, as required under the EU’s General Data Protection Regulation (GDPR).
With the safeguards now in place under US law, European companies can continue to use American cloud and IT services with greater peace of mind. Or should caution still prevail?
Since 2018, the GDPR has aimed to guarantee a high and uniform level of data protection within the European Economic Area (EEA). However, many companies operate outside this area or do business with entities established abroad, resulting in the processing of personal data outside the EEA.
Such transfers are in principle only permitted where adequate data protection can be ensured through one of the mechanisms provided for under the GDPR. An adequacy decision adopted by the European Commission, declaring that a non-EEA country ensures an adequate level of protection, is one such mechanism.
Given their shared commercial interests, the EU and the United States have long sought to establish a regulatory framework that meets the stringent requirements of the GDPR. Yet repeated surveillance scandals and the lack of independent oversight in the US have proven major stumbling blocks.
The 2000 Safe Harbour Agreement was invalidated by the Court of Justice in its Schrems I judgment (2015), and the 2016 Privacy Shield met the same fate in its Schrems II judgment (2020). In both cases, the Court found that US intelligence services had overly broad powers and that EU citizens lacked sufficient judicial redress against disproportionate interference.
Following these rulings, negotiations resumed with the US to create a new framework that would comply with both the GDPR and the EU Charter of Fundamental Rights. This led to Commission Implementing Decision (EU) 2023/1795, which endorsed the EU–US Data Privacy Framework — a self-certification system under which US companies that have self-certified under the DPF must comply with the principles, rules and obligations governing the processing of personal data of individuals in the EEA.
The framework introduces new safeguards for the processing of personal data by US intelligence authorities and establishes the Data Protection Review Court (DPRC).
Shortly after the DPF entered into force, French Member of the European Parliament Philippe Latombe brought an action before the General Court seeking annulment of the adequacy decision. He argued that the European Commission had exceeded its margin of discretion by determining that the United States ensured an adequate level of protection.
Latombe maintained that, even with the new guarantees introduced, the US legal system still failed to provide sufficient safeguards for key GDPR requirements — in particular with respect to (1) effective judicial redress, (2) interference by intelligence services, (3) automated decision-making, and (4) security of processing of personal data.
He further claimed that, in assessing the DPF, the Commission had failed to take adequate account of the Schrems I and Schrems II case-law, and that the new framework still suffered from essentially the same deficiencies.
The General Court, however, dismissed all of Latombe’s pleas and upheld the validity of the DPF.
The Court held that the DPRC is functionally independent and protected from undue influence. Although its members are appointed and removed by the executive branch, they enjoy sufficient safeguards. The fact that the DPRC is not part of the judiciary is acceptable, as its guarantees are equivalent and its decisions are binding and final on the US government and intelligence agencies.
Latombe argued that US law still allows for intelligence agencies to collect personal data in bulk without prior judicial or administrative authorisation. The Court rejected this argument, finding that indiscriminate or mass collection of data is not permitted in the US. Bulk collection is allowed only when targeted collection is not feasible and must be limited, necessary and proportionate, subject to subsequent review by an independent body.
Unlike the GDPR, US law does not contain a general prohibition on purely automated decision-making without human intervention. The applicable rules differ across sectors and types of organisations. Nonetheless, the Court found that the US framework provides adequate protection, as the DPF imposes transparency obligations on organisations and grants individuals the right to request human review of an automated decision. In addition, oversight mechanisms are in place to handle complaints from individuals.
Whereas the GDPR imposes a general obligation to ensure the security of personal data, this obligation in the US applies only to organisations that have formally adhered to the DPF. The Court found that the Commission had sufficiently assessed whether the US certification system offers adequate protection. Since certified organisations are contractually bound to implement appropriate security measures and are subject to supervision by the US authorities, the Court held that an equivalent level of protection is ensured.
The Court consistently emphasised that the US system does not need to be identical to the GDPR, provided that the level of protection is “essentially equivalent” in practice. Although the DPF currently stands, its future remains uncertain, nonetheless.
In addition to a possible appeal that Latombe may bring against this judgment, several privacy-rights organisations — including NOYB (None of Your Business), founded by Max Schrems — have already announced their intention to challenge the DPF on broader grounds through both administrative and judicial channels.
Finally, adequacy decisions such as the DPF are subject to periodic review every four years. The first review will therefore take place by 2027 at the latest. The European Commission will then need to assess whether the US continues to uphold the promised safeguards. In today’s unpredictable political climate of trade tensions and shifting policies, that remains to be seen.