Back to the overview
09-04-2025 Article

EuG confirms effectiveness of EU-US Data Privacy Framework

Update Data Protection No. 219

Today, September 3, 2025, the General Court of the European Union (GCEU) dismissed the action for annulment brought against the Commission's adequacy decision, thereby confirming the validity of the EU-US Data Privacy Framework (DPF). For European companies, the ruling means that data transfers to certified US service providers will continue to be permitted without additional safeguards for the time being. Nevertheless, a residual risk remains because the French plaintiff, Philippe Latombe, has two months to appeal to the European Court of Justice (ECJ). The following article assesses the decision, describes the legal and political background as well as the US reform measures, and provides practical recommendations for cloud users in the EU.

The decision of the General Court and its immediate effect

Since July 2023, transatlantic data traffic has been based on the Commission's adequacy decision pursuant to Art. 45 GDPR. This was challenged by French MP Latombe in an individual action for annulment (T-553/23). In today's oral ruling, the General Court dismissed the action as unfounded after substantive examination, without first ruling on its admissibility. In its reasoning, the Court commented in detail on the most important substantive concerns and confirmed that the US legal changes examined by the Commission meet the standard of "essentially equivalent" protection standards established by the ECJ in Schrems II.

The General Court particularly appreciated the interaction between Executive Order 14086, the two-tiered remedy mechanism of the Civil Liberties Protection Officer (CLPO) and the Data Protection Review Court (DPRC), and the expanded judicial review of FISA 702 orders by the Foreign Intelligence Surveillance Court. The judges emphasized that the Commission had assessed the proportionality of US signals intelligence measures not solely on the basis of abstract powers, but on the basis of actual practice. The court also rejected criticism of the DPRC's lack of independence, stating that the three-member chamber was appointed independently, enjoyed term guarantees, and could order binding remedies for its decisions. Finally, the General Court emphasized that the decision provides for a mandatory annual review procedure so that any future deviations can be addressed quickly.

Latombe has two months and ten days to appeal to the ECJ. In practice, an appeal procedure takes an average of eighteen months. Until a possible annulment, the adequacy decision remains effective.

Origin and architecture of the Data Privacy Framework

The European Court of Justice has twice – in Schrems I in 2015 and Schrems II in 2020 – overturned previous transfer mechanisms because US surveillance powers were not limited to the necessary extent and data subjects did not have effective legal protection. The US initially responded with selective administrative agreements, but their temporary nature remained insufficient. It was not until the political mandate of the EU-US Trade and Technology Councils in 2021 that a complete restart was achieved. On October 7, 2022, President Biden signed Executive Order 14086, "Enhancing Safeguards for United States Signals Intelligence Activities," on the basis of which the Department of Justice issued a regulation establishing the DPRC on October 14, 2022. After the EU member states had given their approval under the comitology procedure, the Commission announced its adequacy decision on July 10, 2023.

These elements, flanked by the Privacy and Civil Liberties Oversight Board (PCLOB), which remains independent, have, in the Commission's view, created a level of protection that is essentially equivalent to European fundamental rights.

Criticisms and their treatment by the court

The plaintiff refers to unchanged powers of mass surveillance under FISA 702 and EO 12333. The General Court clarified that the "bulk element" as such is not decisive; what is decisive is whether sufficient filtering, review, and deletion mechanisms are in place. These have been implemented in sufficient form with the targeting procedures introduced in 2024, the review by the Foreign Intelligence Surveillance Court, and the audit obligations of the PCLOB.

Effective legal protection

Latombe does not consider the DPRC to be independent due to its embedding in the executive branch. The court followed the Commission's view that independence must be understood in functional terms. The proceedings before the DPRC allow for binding and enforceable remedies, as the Attorney General has committed to giving the decisions "full legal effect." The fact that the person concerned does not appear in person, but that a "special advocate" is appointed, does not violate Article 47 of the EU Charter of Fundamental Rights or the essence of effective legal protection, because confidentiality interests of national security justify indirect proceedings.

Formal complaints

The court dismissed Latombe's complaint that the decision had only been published in English, pointing out that only the version published in the Official Journal in the languages of the EU institutions was binding, and that this had been submitted within the deadline. Nor did the lack of involvement of national parliaments constitute a procedural error, as the GDPR expressly assigns decision-making power to the Commission.

Practical implications for transatlantic data flows

As long as the adequacy decision remains in force, personal data can be transferred without additional safeguards to US companies that are on the DPF list maintained by the Department of Commerce. Supervisory authorities are bound by the decision and may not impose fines for such transfers. Special regulations that apply in parallel – such as those relating to health or employee data – remain unaffected; they continue to require privacy-by-design concepts and transparent information obligations.

The decision creates short-term legal certainty for the use of Azure, AWS, Google Cloud, Salesforce, and comparable US providers, provided they have been certified. Microsoft and Amazon have already been registered since August 2023. Those who use sub-processors must continue to check whether the entire processing chain remains within the DPF framework. The focus of data protection law is thus shifting back to classic issues such as purpose limitation, data minimization, and deletion periods.

Nevertheless, those responsible should not underestimate the transition risks: if the ruling before the ECJ fails, a fallback to standard contractual clauses and supplementary technical measures will be necessary within a few weeks.

Recommendations for action for EU companies

Companies should use the respite granted by the General Court to make their transfer governance more robust. First, it is advisable to document all recipient systems in full, as the DPF only protects certified entities. Second, it is worth keeping the current standard contractual clauses ready for negotiation in parallel so that a negative ECJ ruling can be implemented without operational disruption. Third, those responsible should actively evaluate the Commission's annual review report and feed the findings into their own risk analysis.

From a practical perspective, it may be advisable to outsource sensitive workloads – such as health or research data – to EU data centers now, or to process them pseudonymously using the "EU Access" options offered by large hyperscalers. It should also be examined whether additional resilience can be created through client-side encryption with exclusive European key storage. Compliance teams should work closely with security architects to establish verifiable technical and organizational measures that take into account the national security requirements of each party.

At the same time, data protection notices, data processing agreements, and directories pursuant to Art. 30 GDPR must be continuously adapted to accurately reflect the transfer mechanism. Otherwise, formal administrative fines may be imposed regardless of the substantive legality.

Conclusion

Today's ruling by the General Court provides the EU-US Data Privacy Framework with the necessary legal certainty that companies have been lacking since Schrems II. Transatlantic data flows can thus continue to flow on a sound legal basis. However, it would be premature to give the all-clear, as only the ECJ has the final say. Companies should therefore view the coming months not as a grace period, but as an opportunity to make their transfer strategies resilient. Those who create transparency now, prepare alternative contracts, and implement technical encryption will also survive a possible third Schrems ruling without fines or business interruptions.

Download as PDF
Download as PDF

Contact persons

Dr. Hans Markus Wulf
Hamburg
Theresa Marie Bardenhewer, LL.M.
Hamburg

Contact persons

Dr. Hans Markus Wulf
Hamburg
Theresa Marie Bardenhewer, LL.M.
Hamburg

Related articles

12-02-2025
EU DIGITAL LAW: What legal obligations will providers of SaaS (Software as a Service) services face in the future?
12-02-2025
Competition authority files another lawsuit against Amazon – What impact could this have on platform liability?
11-27-2025
Digital Omnibus: What changes in data protection (GDPR) can be expected?
11-14-2025
Bundestag approves NIS2 implementation law – What companies need to know and do now
11-14-2025
A new facet of coaching law: Is the invalidity of coaching contracts unconstitutional?
11-13-2025
Digital Omnibus: EU Commission presents draft
11-13-2025
GEMA vs. OpenAI: Landmark ruling on AI language models and copyright law
10-28-2025
AI ACT: Should ChatGPT be classified as High-Risk AI?
10-15-2025
EU DIGITAL LAW: Will there be an extension of the deadline for the implementation of the AI Act, the Data Act, and the Cyber Resilience Act (Digital Omnibus)?
10-15-2025
More transparency, more responsibility: The new EU Regulation 2024/900 and its consequences for political advertising
10-01-2025
DATA ACCESS WITHIN THE COMPANY GROUP: Are companies permitted to access the IT systems of parent, sister, or subsidiary companies?
09-25-2025
Patent Mediation and Arbitration Center (PMAC) – Alternative dispute resolution in patent law

You are currently using an outdated and no longer supported browser (Internet Explorer). To ensure the best user experience and save you from possible problems, we recommend that you use a more modern browser.