On September 3, 2025, the EU General Court (the General Court) (the second-highest court in the European Union (EU)) upheld the validity of EU-U.S. Data Privacy Framework (DPF) in Philippe Latombe v European Commission (T-553/23).

This decision is good news for companies transferring personal data to the U.S. as it offers welcome certainty for U.S. companies self-certified to the DPF, allowing them to continue receiving EU personal data without relying on alternative data transfer mechanisms, such as Standard Contractual Clauses (SCCs). However, the decision may be appealed within two months, and the DPF remains open to further legal scrutiny. Companies transferring EU personal data to the U.S. should continue to closely monitor developments related to transatlantic data transfers.

Background

The EU General Data Protection Regulation (GDPR) prohibits the transfer of European Economic Area (EEA) personal data unless the transfer relies on an adequacy decision or the company transferring the data is able to rely on another valid data transfer mechanism, such as SCCs or Binding Corporate Rules (BCRs). An adequacy decision is adopted by the European Commission (EC) and recognizes that a non-EEA country (or specific organizations within a non-EEA country) ensures an adequate level of protection, allowing personal data to flow freely from the EEA to the relevant organizations located in that country.

The DPF is one of these adequacy decisions. It enables U.S. organizations that self-certify to the framework to import personal data from the EEA into the U.S., without having to rely on another data transfer mechanism.

The DPF is the third transatlantic framework governing EU–U.S. data transfers, following its predecessors—the Safe Harbor and the Privacy Shield—both invalidated by the EU’s highest court (the Court of Justice of the EU or CJEU) in the landmark Schrems I and Schrems II rulings, over concerns regarding U.S. intelligence agencies’ access to the EEA personal data (see here).

While the DPF seeks to address the CJEU’s concerns, it was challenged by an action for annulment brought in 2023 by Mr. Philippe Latombe, a French MP and member of the French Data Protection Authority (CNIL). Today’s decision dismisses this action for annulment, while leaving open the possibility of appeal.

The General Court’s Rationale for Upholding the DPF

In today’s ruling, the General Court upheld the validity of the DPF and found that it provides an adequate level of protection for EEA personal data. This is a reassuring outcome for companies that rely on the DPF to transfer personal data from the EEA to the U.S.

1. The DPRC is sufficiently independent and impartial.

Mr. Latombe argued that the DPF fails to guarantee effective remedy because the Data Protection Review Court (DPRC)—i.e., the court overseeing DPF-related complaints after they are reviewed by the Civil Liberties Protection Officer (CLPO)—is not impartial or independent. The General Court rejected this, finding that the DPRC operates under sufficient guarantees of independence.

The General Court found that:

• The CLPO, although part of the U.S. intelligence structure, acts independently when handling complaints.
• When the Privacy and Civil Liberties Oversight Board (PCLOB) is consulted on the appointment of the DPRC judges, it acts independently from the executive.
• The DPRC is institutionally and functionally independent from both the CLPO and the Attorney General. Its judges benefit from safeguards equivalent to federal judges, cannot be directed by the executive, and its rulings are final and binding on the U.S. government and intelligence agencies.
• Although created by an Attorney General regulation rather than law, the DPRC’s structure and safeguards ensure impartiality and effective redress.
• Additional guarantees—such as judicial expertise, broad access to information, and support from a special data protection lawyer having access to classified information—further strengthen its independence.

2. Bulk collection of personal data by U.S. intelligence agencies does not require prior authorization.

Mr. Latombe argued that the DPF violates the EU Charter of Fundamental Rights because U.S. intelligence agencies may engage in “bulk” data collection without the prior authorization of a court or an independent administrative authority. The General Court dismissed this, holding that prior authorization is not required if such collection is based on clear and precise rules, and subject to an effective judicial remedy.

The General Court considered that these conditions were satisfied, because:

• U.S. law permits bulk data collection only when necessary for validated intelligence priorities that cannot reasonably be achieved through targeted data collection, and subject to specific safeguards, including data minimization, necessity, and proportionality.
• Judicial oversight is ensured through the DPRC, whose binding rulings apply to both the U.S. government and intelligence agencies. In addition, such activities are overseen by multiple other bodies, including: the PCLOB, the legal officers and compliance officials within each intelligence agency, independent inspectors general, the Intelligence Oversight Board, and Congressional special committees.

Next Steps

This decision is a welcome development for companies transferring personal data from the EEA to the U.S. For the first time, one of the EU's highest courts has confirmed the validity of an EU adequacy decision, providing legal certainty and allowing companies to continue relying on it to transfer personal data from the EEA to the U.S.

However, Mr. Latombe may still appeal the General Court’s decision before the CJEU, and it is unclear whether the CJEU would follow the General Court’s reasoning. For example, the CJEU has in the past found that adequacy decisions are to be evaluated based on the legal and factual situation at the time of the challenge, whereas in Latombe the General Court diverged from this standard and stated that decisions are to be evaluated based on the situation at the time the decision was enacted (which was at the time of the former administration). In addition, the EC could, in theory, decide to suspend or repeal the DPF if it considers in the future that U.S. law no longer provides sufficient protection for EEA personal data.

Given the uncertain nature of the current geopolitical context, companies should continue to monitor the landscape for potential appeals and future legal challenges.

If you have any questions regarding the GDPR and data transfer requirements, please contact Cédric Burton, Laura De Boel, Yann Padova, or Nikolaos Theodorakis from Wilson Sonsini’s Data, Privacy, and Cybersecurity practice.

Rossana Fol, Hattie Watson, and Aurore Troussel contributed to the preparation of this Alert.