Following the post-Schrems II regime, the EU–US Data Privacy Framework (“DPF”) emerged as the Commission’s latest attempt to secure lawful transatlantic data flows. Adopted in July 2023 through Commission Implementing Decision (EU) 2023/1795, the adequacy decision sought to remedy the deficiencies that had twice led the Court of Justice of the European Union (“CJEU”) to strike down its predecessors: Safe Harbor in Schrems I and Privacy Shield in Schrems II.[1]
On 3 September 2025, the General Court delivered its long-awaited judgment in Latombe v. Commission (T-553/23),[2] dismissing an action for annulment and upholding the Commission’s adequacy assessment.
The CJEU invalidated the two aforementioned successive adequacy frameworks mainly due to US surveillance laws failing to ensure a level of protection “essentially equivalent” to EU standards provided under the Charter of Fundamental Rights. Schrems II, in particular, criticised the absence of effective redress for EU individuals and the broad scope of US intelligence collection.
To address these shortcomings, the US adopted Executive Order 14086 of October 7, 2022, supplemented by an Attorney General Regulation. Together, these instruments created the Data Protection Review Court (the “DPRC”) which seeks to provide EU citizens with a mechanism for challenging unlawful surveillance. It was on this basis; the Commission issued its adequacy decision.
It was this decision that French MP Philippe Latombe sought to annul. His action argued that the DPRC is neither impartial nor independent, being created by executive order, and that bulk surveillance by US intelligence agencies continues without adequate safeguards.
The General Court rejected all pleas and upheld the DPF in its entirety. The Court found that the DPRC is accompanied by sufficient safeguards to guarantee impartiality and independence whereas judges may only be dismissed for cause and that the Attorney General and intelligence agencies cannot improperly influence their work. Notwithstanding that the current framework obliges the Commission to continuously monitor compliance where it may choose to suspend, amend or repeal the contested implementing decision or to limit its scope with haste.
Perhaps most strikingly however, the Court held that nothing in Schrems II requires bulk collection of personal data to be subject to prior judicial authorisation. Instead, the CJEU required that such collection be subject to ex post judicial review. Since under US law, intelligence activities are now subject to oversight by the DPRC, the General Court finds that it cannot be considered that the bulk collection of personal data by American intelligence agencies falls short of the requirements arising from Schrems II or that US law fails to ensure a level of legal protection that is essentially equivalent to that guaranteed by EU law.[3]
At the time of writing, the DPF remains in force, allowing EU–US data transfers without the need for additional transfer tools such as Standard Contractual Clauses (“SCCs”). Entities that have self-certified under the DPF may continue to rely on it.
However, this is not a guarantee of long-term stability. Given the climate and criticisms that the judgment has received thus far, an appeal is likely. Currently, there is a tangible risk that the DPF may ultimately meet the same fate as its predecessors. With this being said, entities are still encouraged to maintain contingency plans (i.e. SCCs & Transfer Impact Assessments) in case the DPF is invalidated.
Whether the CJEU will share this view remains to be seen. For entities however, the ruling buys valuable time, but not certainty.
Author: Dr J.J. Galea
Need assistance with international data transfers? GTG is here to help. Kindly contact us at info@gtg.com.mt
[1] Read more on: Schrems Case, Schrems 2 Ruling, EU-US Data Protection Framework Issued
[2] At the time of writing only available in French and Portuguese.
[3] https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf