Judicial Validation of the EU-US Data Privacy Framework: Between Stability and Erosion

1. Context and subject matter of the dispute

The judgment of the General Court of the European Union (CJEU) of 3 September 2025 in Case T-553/23, Latombe v. Commission, confirms the validity of the EU-US Data Privacy Framework (hereinafter 'DPF'), dismissing the action brought by Mr Philippe Latombe. The main purpose of that action was the annulment of Commission Implementing Decision (EU) 2023/1795 of 10 July 2023 determining, pursuant to Regulation (EU) 2016/679 (GDPR), the adequate level of protection of personal data ensured by the DPF.

2. Background and historical relevance

Historically, the main driver of challenges to the adequacy of this regulatory framework has been Mr Max Schrems, whose actions resulted in the annulment of the previous "Safe Harbour" and "Privacy Shield" agreements. Although the present case differs in its merits, this precedent is relevant, as it shows that the legal certainty of international data transfers between the US and the EU is still under debate. Despite this, diplomatic efforts by both jurisdictions have shown resilience, maintaining a constantly evolving regulatory dialogue.

3. Rationale for the EUAT's decision

The Court considers that the US system offers "essentially equivalent" safeguards to those required by EU law. This criterion, less restrictive than that applied in Schrems I and II, is based on two key points: the effective independence of the Data Protection Review Court (DPRC) without the need to replicate European constitutional structures and the sufficiency of ex post judicial review in the face of mass surveillance, eliminating the requirement of prior authorisation by an independent authority.

4. Uncertainties and risks identified

Although the judgment suggests a stage of institutional reconsolidation, uncertainties remain that prevent it from being considered definitive. These include the possibility of an appeal to the CJEU, the limited scope of the initial appeal and changes in key US bodies, such as the dismantling of the Privacy and Civil Liberties Oversight Board (PCLOB) in 2024, which highlights its institutional fragility.

5. Warnings from European authorities

Several data protection authorities in Europe (Norway, Sweden, Denmark and Germany) have urged companies to develop "exit strategies" from the DPF. These warnings are not mere precautions, but technical signals that alterations in the US could compromise the basis of the adequacy decision.

6. Practical impact and recommendations

Although the ruling can be interpreted as a green light for EU-US transfers, future scenarios point to the need for a more flexible approach. While the ruling can be interpreted as a green light for EU-US transfers, future scenarios point to significant risks: from a possible administrative suspension due to legislative changes in the US to a new, more far-reaching complaint.

Currently, more than 2,800 companies in the US are certified under the DPF, allowing them to continue to rely on the adequacy decision (Art. 45 GDPR) as the legal basis for their transatlantic transfers. This reduces immediate uncertainty and avoids massive disruptions of data flows. However, the stability of the framework is not guaranteed and must be actively monitored, as regulatory or judicial events may arise that call it into question.

It is therefore recommended that organisations maintain flexible strategies, prepare alternative mechanisms such as Standard Contractual Clauses (SCCs) and periodically review data flows.