EU General Court Upholds EU-U.S. Data Privacy Framework
In Short
The Situation: On September 3, 2025, the General Court of the European Union dismissed an action for annulment brought by a French member of Parliament against the European Commission's decision recognizing the adequacy of the level of protection for personal data transferred to the United States under the EU–U.S. Data Privacy Framework ("DPF").
The Result: The ruling confirms that transfers of personal data from the EU to U.S. organizations that have certified under the DPF may continue based on the European Commission's adequacy decision.
Looking Ahead: While the General Court's decision allows continued use of the EU-U.S. DPF, further appeals and legal challenges are possible. The European Commission will keep monitoring U.S. data protection standards and may revise the adequacy decision if needed. Organizations should stay alert to legal developments and be ready to adjust their data transfer practices accordingly.
Background
As reported in our previous Jones Day Alert, the European Commission adopted the contested adequacy decision in July 2023 following U.S. reforms, notably Executive Order 14086 and the Attorney General's Regulation 28 CFR Part 201, which established the Data Protection Review Court ("DPRC").
The DPF was designed in response to the EU Court of Justice's Schrems I (2015) and Schrems II (2020) judgments, which invalidated previous frameworks for transferring data from the EU to the U.S. (the Safe Harbor and the EU-U.S. Privacy Shield; see our Jones Day Commentary on the Schrems II ruling).
French Member of Parliament Philippe Latombe challenged the European Commission's Implementing Decision (EU) 2023/1795 of July 10, 2023 (the "Adequacy Decision"), arguing that: (i) the DPRC lacked independence and impartiality; and (ii) U.S. intelligence agencies' practice of bulk data collection violated Articles 7, 8, and 47 of the Charter of Fundamental Rights of the EU.
The Court's Reasoning
On the DPRC's Independence: The General Court found that the DPRC's structure, appointment process, and safeguards, including limited grounds for dismissal and prohibition of undue influence, ensured independence and impartiality. It emphasized that the European Commission must continuously monitor the U.S. legal framework and can suspend, amend, or repeal the adequacy decision if protections deteriorate.
On Bulk Data Collection: The General Court ruled that the Schrems II ruling did not require ex ante authorization by an independent body for bulk collection. What matters in the court's review of the adequacy decision is the availability of ex post judicial review of the intelligence agencies' decisions to implement bulk data collection, which the DPRC provides. Accordingly, U.S. law is deemed to provide protections "essentially equivalent" to those under EU law.
As a result, the court found that, at the date of adoption of the adequacy decision, the U.S. legal framework ensured an adequate level of protection for personal data transferred under the DPF and the challenge by Philippe Latombe was dismissed in its entirety.
Three Key Takeaways
- Organizations located in the United States and having certified compliance with the DPF may continue to rely on this framework for receiving and processing personal data sent from the EU.
- The European Commission must continuously reassess the framework in light of legal or practical changes that may arise. Data exporters should also continue monitoring U.S. congressional and executive activity, as well as reports from the European Commission, to make sure the data transfer safeguards that they rely upon remain valid.
- The judgment can be appealed to the Court of Justice of the EU within two months and 10 days. Stakeholders should remain alert to possible further litigation relating to the DPF.
