The EU General Court delivered its much anticipated ruling on a challenge brought by a French politician against the EU-US Data Privacy Framework (DPF) on 3 September 2025. The DPF is the EU Commission’s third try to establish a valid mechanism to facilitate the transfer of personal data subject to the EU’s GDPR to recipients in the US. The EU General Court upheld the EU-US Data Privacy Framework for now – however, the decision is subject to review by the Court of Justice of the EU (CJEU) and may lead to further scrutiny in the future. This blog post gives an overview of the EU General Court’s ruling and of the implications for EU, US and UK businesses that may rely, or be thinking of relying, on the DPF.
You can read our previous blog posts for further background on the DPF and related mechanisms put in place by the US.
Background
For the first time, a court had to rule on the validity of the DPF that became available for organisations in 2023. The DPF is the successor of the Safe Harbour agreement and the EU-US Privacy Shield, which were both invalidated by the CJEU after they were challenged by the privacy activist Max Schrems. Especially by way of the so-called Schrems II decision from 2020, the CJEU not only invalidated the EU-US Privacy Shield, but also expressed a rather strict view on the permissibility of third-country data transfers under the EU GDPR.
In the case at hand, a French individual directly challenged the DPF as the EU’s and US’ third try to establish a valid transfer mechanism only a few days after the EU Commission made the adequacy decision that underpins the DPF. The claimant (Mr Latombe) is a member of the French data protection authority (CNIL) and a French MP recognised for his strong engagement on digital and technology-related issues. His action before the EU General Court was brought in his personal capacity.
Unlike the previous (successful) challenges to the Safe Harbour and the Privacy Shield mechanisms by Max Schrems, the claimant did not challenge the DPF before Member State courts (e.g. Irish Courts, as in the case of the Schrems II decision) leading to a referral by a national court to the CJEU, but reached out directly to the EU’s General Court (which is subordinate to the CJEU). Several attempts had been made in the past to challenge the Safe Harbour and the EU-US Privacy Shield via this ‘direct’ route, without success.
Rejected grounds for challenge
The claimant challenged the DPF on various grounds, all of which were rejected by the EU General Court upholding the validity of the DPF. These grounds relate to the legal changes that were implemented by the US in order to satisfy the EU Commission’s requests following the Schrems II decision. In more detail, the claimant made the following arguments that were all rejected by the EU General Court:
| Topic | Arguments of the claimant | Reasons for rejection |
Bulk data collection
| The bulk collection of personal data by US intelligence agencies lacks the safeguards required under EU law, as it is neither subject to prior authorisation of a court or an administrative authority, nor defined with sufficient clarity and precision.
| US Executive Order (EO) 14086 sets out fundamental requirements and specific safeguards for bulk* data collection by US intelligence services, allowing it only in limited circumstances and subject to precise and clear rules. The CJEU’s Schrems II judgment does not require prior judicial authorisation for such collection where equivalent protections are achieved through other safeguards, such as an ex post judicial review. On this basis, the US provides safeguards that are substantially equivalent to those required under EU law with regard to the bulk collection of personal data. *According to the EU General Court, bulk collection (or ‘collecte en vrac’) of personal data corresponds to the collection of large volumes of signals intelligence, notably carried out under US EO 12333. The Court found that under the US rules: (i) bulk collection is only permitted outside the US (which includes data in transit from the EU to the DPF-registered organisations); and (ii) national security-related data gathering within US territory (including in relation to data transferred from the EU) may only take the form of targeted collection – that is, aimed at a specific individual, communication account, or other identified target – notably carried out under the Foreign Intelligence Surveillance Act. Bulk collection must also be distinguished from the ‘mass collection’ of personal data, which refers to the indiscriminate and unrestricted gathering of data without safeguards or limitations – a practice that is not permitted under US (whether within or outside its territory) law according to the EU General Court. |
| DPRC | US second-level redress body (DPRC) does not satisfy the requirements of EU law, since it lacks sufficient independence from the executive branch to be regarded as an independent and impartial tribunal. In particular, (i) it is composed of judges appointed by the Attorney General (who is the principal legal adviser to the President of the United States and a member of his Cabinet) after consultation with the Privacy and Civil Liberties Oversight Board (PCLOB) (itself established within the executive branch and whose members are nominated by the US President with the approval of the Senate) and (ii) it is not ‘established by law’ but was instead created via an executive act, namely a decision of the Attorney General. | The DPRC has sufficiently strong structural protections and guarantees, including fixed terms, for‑cause removal, ineligibility for executive roles, binding and definitive decisions enforceable on US agencies and the US government. In addition, EO 14086 prohibits both intelligence agencies and the Attorney General from obstructing or unduly influencing the DPRC’s work. As regards the PCLOB, it was conceived, by its founding statute, as an independent agency composed of five members, no more than three of whom may belong to the same political party, and whose members may not hold elected office or federal government positions during their term. The PCLOB mission includes, in particular, overseeing the CLPO (the first-level redress body) and the DPRC, i.e. verifying compliance with time limits, safeguards provided for in EO 14086, whether intelligence agencies have complied with their decisions etc. Finally, the fact the DPRC was created by the Attorney General rather than Congress does not undermine its validity; what matters is its functional independence in practice and that it offers guarantees essentially equivalent to those required under EU law. |
| ADM | The DPF does not guarantee EU-style rights for individuals affected by fully automated decisions (ADM). | The GDPR already applies to most relevant scenarios in EU–US transfers. The only ‘residual’ cases where it would not apply are limited to cases where non-EU organisations collect personal data directly within the Union, without offering goods or services to EU citizens and without monitoring their behaviour. However, in those rare cases, US sector‑specific laws (e.g. in credit, employment, and health) are likely to apply and would offer comparable protections. |
| Security | The DPF does not match the EU GDPR’s requirements for protecting the security of personal data, insofar as it does not impose security measures for the ‘consultation’ of personal data by organisations subject to the DPF. | Requirements under the DPF deemed substantially equivalent to EU GDPR’s obligations, particularly with regard to the use of data, which necessarily includes access and consultation of the data. |
| Other | A procedural complaint about the languages used in the official EU adequacy decision. | Withdrawn at the hearing on 1 April 2025. |
Overall, the General Court noted that, as mentioned by the CJEU in the Schrems I and Schrems II judgments, the Commission is not required to ensure that a third country’s legal framework mirrors EU law, but rather that it provides a level of protection essentially equivalent to that guaranteed under the GDPR.
Likelihood of an appeal and procedural implications
The General Court’s ruling on the DPF offers temporary relief for the many organisations (including over 3,400 US companies) relying on the DPF for transatlantic data transfers. However, while the EU General Court validated the EU Commission’s assessment of the safeguards introduced by the DPF, its long-term validity remains uncertain. An appeal to the CJEU, which can be brought within two months and ten days of notification of the decision, is widely anticipated. Unofficial comments from Mr Latombe on social media suggest he will concurrently elevate the legal dispute to the EU’s highest court and make a formal request to the EU Commission to annul or suspend the DPF. The CJEU, known for its stringent scrutiny of data transfer mechanisms, will ultimately put the DPF to its most significant test and a decision by the CJEU invaliding the DPF within the next few years remains a distinct possibility.
Prior to this decision, there had been speculation that the EU General Court might deem the case inadmissible on procedural grounds. However, the EU General Court’s decision to entertain this challenge is noteworthy, as it may open the door for privacy advocates to bring ‘direct’ challenges against approved data transfer mechanisms. This includes adequacy decisions, such as those relied upon by numerous organisations for transferring personal data to the UK and other third countries. The ability for privacy advocates to bring quicker ‘direct’ challenges before the EU courts, without requiring referral from a national court, significantly increases the risk that other established data transfer mechanisms will be challenged. In this case, the Court ruled on the merits without first deciding admissibility, citing the ‘proper administration of justice’. This unusual approach could encourage a dual-track strategy (direct action plus national referral), even though the Court may still reject future cases on admissibility grounds.
NOYB, a major EU-based privacy advocacy group founded by Max Schrems who led the challenges that brought down the DPF’s two predecessors, issued a press release following the judgment suggesting that it will consider bringing a separate, broader, challenge against the DPF before the CJEU. Any challenge brought by NOYB may benefit from having prior sight of the arguments and defences raised in this ruling. Future challenges are likely to combine legal arguments (e.g., whether a redress body created by executive order meets the Charter’s ‘established by law’ standard) with new factual developments after July 2023, such as the reauthorisation of FISA Section 702 or changes in US oversight practices. It is also notable that the EU General Court limited its analysis of the DPF to the facts when it was first implemented under President Biden. This means that subsequent political or legal developments – such as shifts under the current US administration – could become central in any appeal or new action.
Consequences of the EU General Court’s ruling
A practical nuance in the judgment is that the Court assessed the DPF only as it stood on 10 July 2023 (the date of the EU Commission’s adequacy decision) and emphasised the Commission’s ongoing duty to monitor the US framework and, if needed, suspend, amend or repeal the decision. In simple terms, this creates a ‘trapdoor’: if US law or practice materially change after July 2023, the EU Commission is expected to react, and opponents can anchor new challenges on those post-decision facts. This shifts part of the action from the courtroom to continuous oversight – what happens after adoption may become decisive.
Equally important is what kind of safeguards for the collection of personal data the EU General Court accepted. Many assumed that only ex ante controls (e.g., a judge signing off before surveillance) could meet EU standards. The General Court clarified that EU law does not always require prior authorisation for national-security bulk collection if there are strong ex post checks (i.e., mechanisms that review after collection), and if collection follows strict necessity/proportionality rules. It relied on US changes such as EO 14086 and the DRPC, and it also drew on European Court of Human Rights (ECtHR) case-law that allows some discretion to state if robust oversight exists. In other words, the General Court accepted a ‘collect first, review immediately after with tight constraints’ model as potentially adequate, not only a ‘approval before collection’ model – an approach that may influence how the CJEU looks at the case on appeal.
Potential spillover effects to UK-US arrangements
If the DPF was invalidated, then the UK is likely to need to reconsider its equivalent ‘data bridge’ mechanism with the US, which operates as an extension to the EU-US DPF. See our previous blog post for further background on the ‘data bridge’.
When the ‘data bridge’ was created, UK and US officials are understood to have indicated that a successful challenge in the EU to the DPF may not interrupt the operation of the UK framework. Nevertheless, the ability of the UK data bridge to survive any invalidation of the DPF by the EU courts is questionable given that the UK has shown a clear desire to maintain its own status as an ‘adequate’ jurisdiction for EU personal data to be transferred to under the EU’s GDPR.
If the UK were to persist with the bridge after the EU annulment of the DPF, this could be perceived as a ‘back door’ for EU-US data flows and might trigger a review of the UK’s adequacy status by the European Commission or legal challenges to the UK’s adequacy status.
Practical implications
Beyond the DPF, the judgment has two practical spillovers. First, for the time being, it slightly eases the Transfer Impact Assessment (TIA) baseline for transfers based on EU standard contractual clauses (SCCs) to US recipients outside the DPF, since the Court endorsed US safeguards as meeting ‘essential equivalence’. Second, it does not change the fact that certain sectors – such as banking, insurance and telecoms – cannot certify under the DPF and must continue to rely on other transfer mechanism under the EU GDPR, namely SCCs or binding corporate rules with supplementary measures.
Organisations relying on the DPF should keep abreast of developments and consider a multi-layered data transfer strategy, incorporating alternative mechanisms like SCCs and robust TIAs as a critical safeguard against future legal disruption. Further, organisations are required to not only focus on the developments in the EU, but also closely monitor legal developments in the US with relevance to the DPF, especially on EO 14086, FISA Section 702 and DPRC decisions. Likewise, organisations putting in place data transfer agreements should address the potential invalidity of the UK-US ‘data bridge’ mechanism by agreeing on the UK Addendum to the SCCs or by implementing another approved backup mechanism.
These developments come against a more complex (and tense) geopolitical backdrop than in 2015 and 2020, which could influence both the outcome of the appeal and the EU Commission’s future reviews. This uncertainty underscores why it is crucial for businesses to embed the evaluation of transfer mechanism durability as a standard component of their data transfer governance framework.