The EU General Court has dismissed Philippe Latombe’s legal challenge to the EU-US Data Privacy Framework. This ruling allows businesses to continue transferring personal data across the Atlantic under current rules.
Philippe Latombe, a French member of parliament, brought the action for annulment before the General Court, the first instance among EU courts. The challenge targeted the Transatlantic Data Protection Framework that the European Commission approved in 2023.
The case was particularly significant because Latombe had to prove both that the framework was substantively flawed and that he was directly affected by it. The General Court found his arguments unconvincing and rejected the challenge entirely.
This decision maintains the framework, but leaves room for future appeals and challenges. Privacy advocate Max Schrems has already indicated that broader legal action may follow, particularly focusing on the Trump administration’s use of executive orders.
The current framework represents the third attempt to create stable data transfer arrangements between the EU and the US.
The original Safe Harbour agreement allowed US companies to self-certify their compliance with EU privacy standards. This lasted 15 years until Max Schrems successfully challenged it in 2015, arguing that Edward Snowden’s revelations about NSA surveillance made US protections inadequate.
The Privacy Shield replaced Safe Harbour but faced similar problems. The CJEU struck it down in July 2020 in the Schrems II case, finding that US surveillance programs were neither necessary nor proportionate under EU law. The court also ruled that EU citizens lacked effective legal remedies against US government surveillance.
The new framework emerged after extensive negotiations and was approved by the European Commission in July 2023. It includes enhanced safeguards, including the Data Protection Review Court (DPRC) to handle complaints about US intelligence access to EU data.
Each invalidation has created legal uncertainty for thousands of companies relying on transatlantic data flows, forcing them to use alternative mechanisms, such as Standard Contractual Clauses with additional safeguards.
• A French MP challenged the EU Commission’s approval of the EU-US Data Privacy Framework (DPF)
• He argued the framework doesn’t provide adequate protection for EU citizens’ data when transferred to the US
• The case focused on two main issues: independence of the Data Protection Review Court and bulk data collection practices
• The General Court rejected all arguments and upheld the framework
Latombe claimed that this oversight body lacks true independence because it exists only through a US executive order, rather than federal law.
The court disagreed, finding sufficient safeguards in place for judicial independence.
The challenge argued that US intelligence agencies should require court approval before collecting bulk data on EU citizens.
The court ruled that post-collection judicial review through the DPRC meets EU standards.
• The EU-US Data Privacy Framework remains valid for data transfers
• No immediate changes needed to existing transfer arrangements
• Organisations can continue using the DPF as their legal basis
• The ruling can be appealed to the Court of Justice of the European Union
• Privacy advocate Max Schrems indicates broader challenges may follow
• Legal uncertainty persists around long-term stability
• Keep using the DPF for US data transfers while monitoring developments
• Document your transfer arrangements and compliance measures
• Stay informed about potential appeals or new legal challenges
• Consider backup transfer mechanisms like Standard Contractual Clauses
The General Court found that:
• US appointment procedures for DPRC judges include independence safeguards
• The Attorney General cannot remove judges except for cause
• Intelligence agencies cannot improperly influence DPRC decisions
• The EU Commission retains the power to suspend the framework if protections weaken
This is the third attempt at creating a stable framework for EU-US data transfers.
Previous versions, Safe Harbour and Privacy Shield, were struck down by the Court of Justice in the Schrems cases.
The current framework was designed to address those earlier concerns; however, critics argue that it still contains similar problems.
Companies transferring data between the EU and the US face complex compliance requirements that extend beyond just relying on the Data Privacy Framework.
GDPRLocal offers Article 27 GDPR representative services for US companies that process data of EU citizens. This mandatory requirement means having an official EU contact point for data subjects and regulators when your company operates outside the EU.
• Documentation and compliance guidance for international data transfers
• Backup mechanisms such as the Standard Contractual Clauses implementation
• Regular monitoring of regulatory changes affecting EU-US data flows
• Vendor management to check third-party compliance with data transfer requirements
GDPRLocal’s certified data protection consultants help businesses manage the uncertainty around transatlantic transfers. This includes preparing for potential framework changes, maintaining proper documentation, and creating contingency plans when legal challenges succeed.
US businesses can continue using the current framework while building strong compliance foundations that protect against future regulatory shifts.