On 3 September 2025, the General Court (GC) dismissed an action seeking annulment of the Commission’s adequacy decision of 10 July 2023 (Decision EU 2023/1795), namely that the United States of America ensure an adequate level of protection for personal data transferred from the EU under the EU-US Data Privacy Framework (→eucrim 2/2023, 152-153).

Background of the case

As a consequence of the adequacy decision, public and private entities from the European Economic Area (i.e., all the 27 EU Member States as well as Norway, Iceland, and Liechtenstein) are able to transfer personal data to companies in the USA that have certified their participation in the EU-US Data Privacy Framework (DPF). In doing so, they fulfill the requirements for international data transfers as regulated in the General Data Protection Regulation (GDPR). The action against this new framework came against the background that the ECJ had invalidated the two previous frameworks, the Safe Harbour and the Privacy Shield, for not guaranteeing protections “essentially equivalent” to EU law (judgements in Schrems I (→eucrim 3/2015, 85) and Schrems II (→ eucrim 2/2020, 98-99).

In response, the USA issued Executive Order 14086 (October 2022), which strengthens the privacy safeguards governing signals intelligence activities (SIGINT) carried out by the intelligence agencies in the United States. It also issued an Attorney General regulation (28 CFR Part 201), establishing new privacy safeguards for U.S. intelligence activities and creating the Data Protection Review Court (DPRC) as a redress mechanism for EU citizens. The Commission took its new 2023 adequacy decision on this basis.

In the present action for annulment (Case T-553/23, Latombe v Commission), French citizen Philippe Latombe, who is user of various IT platforms that collect his personal data and transfer them to the USA, argued that the 2023 adequacy decision also violates his rights to private and family life, to data protection, and to effective judicial protection under the Charter of Fundamental Rights of the EU (CFR) and the GDPR. He submitted two main arguments:

• The DPRC is not an independent and impartial tribunal established by law, as it is dependent on the executive (possible breach of Art. 47 CFR and Art. 45(2) GDPR);
• The bulk collection of personal data by the U.S. intelligence agencies in transit from the European Union is illegal because it is without the prior authorisation of a court or an independent administrative authority, and it has not been circumscribed in a sufficiently clear and precise manner (breach of Arts. 7 and 8 CFR).

The GC's judgment

With regard to the first plea (independent tribunal), the GC held that the DPRC is institutionally separate from the Civil Liberties Protection Officer (CLPO), whose decisions it reviews, and that Executive Order 14086 provides clear guarantees ensuring that DPRC judges are not subject to executive influence. Judges are appointed by the US Attorney General after consultation with the Privacy and Civil Liberties Oversight Board (PCLOB), which, though formally part of the executive, functions independently. They may be dismissed only for valid reasons, following standards similar to those for U.S. federal judges.

The Court acknowledged that the DPRC had been created by an executive act rather than by Congress but reiterated that “adequacy” under Art. 45 GDPR requires only essentially equivalent safeguards, not identical institutional forms. The combination of the Executive Order and the Attorney General regulation provides sufficient guarantees of independence and impartiality. The Court also noted that the Commission must continuously monitor the U.S. framework and may suspend or amend its decision if those guarantees cease to apply. It therefore found no breach of Art. 47 of the Charter and Art. 45(2) GDPR.

Looking at the second plea (the bulk collection of personal data by U.S. intelligence agencies), the GC held that neither Schrems II nor other case law require prior authorisation, provided there is adequate ex post judicial review. Under the new framework, the DPRC performs this function. Bulk collection is authorised only for specific, validated intelligence priorities that cannot be achieved by targeted collection. The Executive Order sets clear limits and provides multiple layers of oversight, including by the Privacy and Civil Liberties Oversight Board (PCLOB), Inspectors General, the Intelligence Oversight Board, and congressional committees.

The GC also dismissed comparisons with the CJEU’s judgment in La Quadrature du Net and Others (→eucrim 3/2020, 184-186) and the ECtHR’s ruling in Big Brother Watch, noting that those cases concerned different contexts and stages of surveillance.

In conclusion, the GC found that the U.S. legal framework ensures a level of protection for personal data that is essentially equivalent to that guaranteed within the EU. It therefore upheld the Commission’s decision in full.

Put in focus

The GC's ruling in Latombe confirms, for now, the legal validity of transatlantic data transfers under the EU-US Data Privacy Framework. It also clarifies that “essential equivalence” does not demand identical institutional arrangements between the EU and third countries, as long as effective and enforceable safeguards exist to protect individuals’ rights in practice.

In their initial reactions, data protection organisations expressed surprise at the GC's ruling. They criticised the GC for having deviated significantly from ECJ case law and ignoring the realities of the situation. On the one hand, they argued that some aspects of the current safeguards in the DPF are even more detrimental than their predecessors, which the ECJ had already deemed insufficient in the Schrems I and Schrems II judgments. It is therefore surprising that the Court would rule differently on a third version of the EU-US agreement than it did previously. On the other hand, it must be taken into account that the Trump administration can revoke the Executive Order issued by his predecessor Joe Biden in the blink of an eye and will not shy away from dismissing members of a judicial body, even though their independence may be guaranteed by law. Hence, the GC's assessment is in discrepancy with the ECJ's rulings on the independence of the judiciary in Poland; compliance with the guarantees of Art. 47 CFR cannot be assumed.

Data protectionists hope that Mr Latombe will appeal the GC's ruling to the ECJ on points of law and that the Court may then come to a different conclusion.