Has the European General Court now definitively approved the transfer of data to the US?

Yes, for now. In a long-awaited judgment of 3 September 2025 the European General Court has rejected the first legal attack on the EU-US Data Privacy Framework (DPF) entirely. According to the Court, thanks to recent reforms, the United States provides an adequate and substantially equivalent level of protection for personal data transferred from the European Union. This ruling ends, at least for now, a period of great legal uncertainty for thousands of European companies.

The facts and legal context: the long road after Schrems I and II

Personal data transfers between the EU and the US have a turbulent past. Two previous frameworks, the Safe Harbour principles and the later Privacy Shield, were declared invalid by the European Court of Justice in the high-profile rulings Schrems I (2015) and Schrems II (2020).

The crux of the problem was the same each time: the Court ruled that U.S. law provided insufficient protection against widespread access to personal data by U.S. intelligence and security agencies. Moreover, European citizens lacked an effective legal process to defend themselves against these practices.

To address these fundamental concerns, the U.S. government made significant changes. Via Executive Order 14086 new, stricter rules were imposed on intelligence agencies, emphasizing the principles of necessity and proportionality. Important was the creation of the Data Protection Review Court (DPRC), a new body to provide European citizens with a binding and independent judicial process.

Based on these guarantees, on 10 July 2023, the European Commission ruled that the U.S. again ensured an "adequate level of protection" and the EU-US Data Privacy Framework came into force. It was against this decision that French citizen Philippe Latombe filed a nullity appeal with the European General Court.

The decision of the General Court

The Court completely rejected Latombe's appeal and dismissed each of his arguments. The Court's reasoning validates the efforts made by the US and the Commission.

1. The Data Protection Review Court (DPRC) is indeed an independent tribunal

A central argument of the plaintiff was that the DPRC is not a truly independent and impartial court as required by the Charter of Fundamental Rights of the European Union. It would be too closely linked to the executive.

The Court does not go along with this and thoroughly analyzes the operation of the DPRC. It finds that there are sufficient guarantees of independence:

• Judges are appointed based on strict criteria, similar to federal judges, and can be removed from office only for weighty reasons.
• The DPRC's decisions are binding on U.S. intelligence agencies.
• The fact that the DPRC was established through a presidential decree (an Executive Order) rather than a formal law is not an insurmountable problem, according to the Court. What matters is that in practice the system provides substantially equivalent protection to what applies in the EU, not that the legal instruments are identical.

2. Data collection by intelligence agencies is sufficiently framed

The plaintiff argued that U.S. law still allows large-scale, so-called "bulk" interception of data without prior judicial review, which would violate European law.

This argument is also rejected. The Court finds that the new framework contains significant improvements that limit data collection to what is necessary and proportionate:

• 'Targeted' data collection is the norm. 'Bulk' collection is allowed only for specific, pre-approved national security purposes, such as fighting terrorism or espionage.
• More importantly, there is now a mechanism of a posteriori judicial review through the DPRC. This was a fundamental flaw in the past that has now been rectified. The Court finds that the lack of prior authorization for initial collection is acceptable as long as the entire process is surrounded by robust safeguards and a posteriori control.

3. Other arguments around automated decision making and data security

Two smaller arguments were also rejected. Regarding the right not to be subject to fully automated decisions, the Court noted that most cases would fall under the GDPR . For the remaining, rare cases, U.S. sectoral laws (e.g., in the credit or insurance industries) provide substantially equivalent protection.

The criticism that the DPF's security principles did not explicitly mention the term "consultation" of data was also considered inconclusive. The Court held that the term "use" of data logically includes its "consultation."

Legal analysis and interpretation

At the heart of the reasoning in this judgment is the practical way in which the Court applies the "substantial equivalence" rule. Whereas the Schrems judgments set the bar very high and highlighted the differences between the EU and US legal systems, the Court now focuses on whether the outcome of the protection offered is comparable. It recognizes that the US may use other legal means (such as an Executive Order rather than a law) to achieve an equivalent end.

This is an important nuance. The General Court is not demanding a copy of the EU system, but a U.S. system that creates effective rights and remedies in practice. The establishment of a functioning and binding DPRC, combined with clearer rules for intelligence agencies, was the decisive factor for the Tribunal to conclude that the Commission had passed its strict scrutiny.

A striking and novel reasoning of the Court is its in-depth analysis of the case law of the European Court of Human Rights (ECtHR). Unlike the Schrems II judgment, the Court now relies extensively on ECHR rulings on surveillance, such as Big Brother Watch. By testing the U.S. safeguards against this broad human rights standard - and finding them sufficient - the Court gives its judgment an additional solid and broad-based legal foundation.

Finally, it is crucial to understand that the Court assesses the adequacy decision as a "snapshot" in time. The ruling only confirms the legality of the decision based on the facts and law as it existed on 10 July 2023, the date of its adoption. Future changes in U.S. law or practice could change the situation and require the European Commission to reassess adequacy and, if necessary, modify or even revoke the decision.

What this specifically means

• For enterprises: The ruling brings immediate and welcome legal certainty. You can continue to transfer personal data to U.S. organizations certified under the EU-US Data Privacy Framework. Always check that your U.S. partner is effectively on the official DPF list state.
• For the future: This is a judgment of the General Court (first instance). An appeal can still be lodged with the Court of Justice within a period of two months and 10 days. So the legal saga may not be over. There is a real chance that the case will eventually come back before Europe's highest courts.
• Strategic advice: While the DPF is currently a valid basis, it remains prudent not to completely rule out alternative transfer mechanisms, such as the Standard Contractual Clauses (SCCs) supplemented by a Transfer Impact Assessment (TIA). Diversification of legal instruments can be a robust strategy in this dynamic area of law.

FAQ (frequently asked questions)

Is the Data Privacy Framework now 100% secure for the future?
No. This ruling can still be appealed to the European Court of Justice. Although the DPF now has a solid legal foundation, the Court may rule differently in the future. The current stability is real, but not necessarily permanent.

What is the main difference from the Schrems judgments?
The Schrems I and II rulings invalidated the previous data agreements (Safe Harbour and Privacy Shield). This ruling confirms the validity of the current Data Privacy Framework, ruling that the U.S. has implemented sufficient legal reforms to address the previously identified deficiencies.

Should I adjust my contracts with U.S. suppliers now?
If you rely on the Data Privacy Framework for data transfers, it is sufficient to verify that your partner is on the official DPF list. The DPF acts as a stand-alone basis for retransmission. If you currently use Standard Contractual Clauses (SCCs), you do not need to replace them immediately, but for new transfers, the DPF may be a simpler option.

Conclusion and contact

The ruling in Latombe v. Commission is a victory for the European Commission and provides much-needed stability for transatlantic data flows. The Court validates the new U.S. legal framework, including the Data Protection Review Court, as a mechanism that provides substantially equivalent levels of protection.

Despite this positive ruling, the world of international data transfer remains complex and subject to legal evolution. A possible appeal process keeps the future uncertain.