On 3 September 2025, the European General Court dismissed Philippe Latombe’s challenge against the EU–U.S. Data Privacy Framework (DPF). The General Court examined the claims in detail and concluded that the DPF meets EU standards, in particular that it provides an “essentially equivalent level of protection” for personal data transferred from the EU to the U.S.
The decision is significant because the two previous transatlantic transfer mechanisms – Safe Harbor (2015) and Privacy Shield (2020) – were invalidated by the European Court of Justice due to gaps in U.S. data protection laws. This time, however, the General Court concluded that the reforms included in the 2023 DPF sufficiently address past shortcomings and ensure that EU citizens’ personal data is adequately protected across the Atlantic. The case is not over yet, though: the judgment can still be appealed.
1. Background
Data transfers to the United States have been the subject of intense legal debate in the field of data protection for years. Previously, the Safe Harbor and later the Privacy Shield frameworks provided the basis for transferring personal data from the European Union to the United States. However, the Schrems I (2015) and Schrems II (2020) judgments invalidated these frameworks one after the other, creating significant uncertainty for transatlantic data flows. In the absence of these frameworks, transferring personal data to the U.S. was only possible with considerable administrative burdens.
To address this situation, on 10 July 2023, the European Commission adopted its latest adequacy decision for the United States, the EU–U.S. Data Privacy Framework (DPF). This decision suggested that the United States provides an adequate level of protection for personal data transferred from an EU controller or processor to U.S. organizations listed under the DPF.
Shortly after the DPF’s adoption, concerns arose among experts. Just a few months later, in September 2023, French Member of Parliament Philippe Latombe brought a case before the General Court seeking to annul the DPF, a case that resulted in the decision issued on 3 September 2025.
2. What was the main subject of the claim?
Latombe argued that the DPF does not provide an “adequate level of protection” for personal data transferred to the United States. In his claim, he identified several issues, including:
a) According to Mr. Latombe, the Data Protection Review Court (DPRC), established by the U.S. Attorney General to handle complaints from EU data subjects, does not meet EU fundamental rights standards. He argued that the DPRC, created by the U.S. Attorney General under authority delegated by the President rather than through a separate legislative act, cannot be considered an independent and impartial court and does not provide safeguards equivalent to those required under EU law.
b) Mr. Latombe also raised concerns about the bulk collection of data by U.S. intelligence authorities, arguing that it constitutes a disproportionate and unlawful interference with privacy, particularly because such collection is often carried out without prior judicial or other independent oversight.
3. How the General Court ruled on the DPF?
The General Court dismissed the claim seeking to annul the DPF.
Before examining the objections raised by Latombe, the Court first clarified the concept of an “adequate level of protection” under Article 45 of the GDPR. It made clear that full alignment of laws, or absolute compliance, is not required. It is sufficient that the protection of fundamental rights and freedoms is functionally equivalent.
The General Court further noted that:
a) The DPRC operates under safeguards (rules for the appointment of judges, strict conditions for their removal, and independent procedural rules) that meet EU requirements. The General Court emphasized that DPRC judges are appointed based on strict professional experience criteria, and the U.S. executive branch cannot interfere with their activities. Overall, the General Court concluded that the DPRC’s independence and impartiality is ensured.
b) While U.S. law does allow for bulk data collection, such collection is strictly regulated, may only occur for purposes explicitly defined by law, and is limited to a narrowly defined scope.
Taking all of the above into account, the General Court concluded that the DPF currently complies with the requirements set out in the GDPR and that there are no fundamental shortcomings justifying its annulment.
4. Why does this matter for the average user?
At first, it may seem abstract why an average user should care about the legal rules governing the transfer of their data across the Atlantic. In reality, it affects everyday life: storing files in the cloud (e.g., Dropbox or Google Drive), using social media (Facebook, Instagram), sending emails (Gmail, Outlook), or working with online office tools and other software (such as Microsoft 365 or Google Workspace). In many of these cases, personal data is handled by U.S. service providers.
If the legal framework for these data flows becomes uncertain, it could have real consequences not just for providers, but also for users. The platforms we rely on every day might become less accessible or even temporarily unavailable. It is no coincidence that Mark Zuckerberg has previously suggested that Meta might withdraw from the European market. This debate has very tangible implications: it concerns whether we can continue using the tools and services that we rely on in both work and private life.
Another crucial aspect is whether individuals can effectively exercise their rights under effective data protection rules if something goes wrong, and whether they can trust that their most personal online activities are safe. Within the EU, data protection authorities and courts provide clear remedies. But if personal data is transferred to the United States without adequate legal safeguards, European users could find themselves unable to complain or seek compensation for unlawful processing. That is why robust protections for data subjects are so important.
For EU citizens, the Latombe decision means that, at least for now, they can continue using the services they rely on every day without any disruption. The ruling also confirms that there is an established system for seeking remedies in the United States for personal data transfers, addressing a gap present under previous frameworks. At the same time, exercising these rights in practice remains complex, as users must go through a multi-step complaints process to fully enforce them.
5. What companies should take away from the case
Although the General Court’s decision brings temporary stability, the story is far from over. The ruling can still be appealed, meaning the case could eventually reach the European Court of Justice. Considering that the Schrems cases previously led the Luxembourg court to annul similar mechanisms twice, there is no certainty that the DPF will remain in place in the long term.
For companies that transfer personal data to the United States as part of their operations, the most effective strategy is twofold:
a) In the short term, companies can rely on the DPF, which is currently valid and can be used for data transfers to the U.S. The U.S. Department of Commerce maintains a public list of entities participating in the DPF, making it easy to check whether a given recipient is covered.
b) In the medium and long term, companies should:
(i) Keep a close eye on further developments regarding the Latombe case, and
(ii) Consider alternatives if the DPF—or other adequacy decision—is not available. Appropriate safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) can help ensure that operations continue smoothly if circumstances change down the line.