On 3 September 2025, the General Court of the European Union dismissed an action brought in the Case T-553/23 | Latombe v Commission case, challenging the adequacy decision that facilitates the transfer of personal data between the EU and the United States. This ruling confirms that, as of the decision’s adoption, the U.S. ensures an adequate level of protection for personal data transferred from the EU.
Background
The EU–U.S. data transfer framework, established by the European Commission on 10 July 2023, was designed to address the legal uncertainties following the Schrems II judgment, which invalidated previous adequacy decisions due to concerns over U.S. surveillance practices. In response, the U.S. enacted an Executive Order in October 2022 to enhance privacy safeguards, particularly concerning intelligence agencies’ access to personal data. This was supplemented by an Attorney General Regulation amending the provisions governing the establishment and functioning of the Data Protection Review Court (DPRC).
The General Court’s Ruling
Philippe Latombe, a French member of parliament, challenged the adequacy decision, arguing that the DPRC lacked independence and that U.S. intelligence agencies’ bulk data collection practices were insufficiently regulated. The General Court rejected both claims.
- DPRC Independence: The Court found that the DPRC’s structure, including the appointment and dismissal procedures for judges, incorporated sufficient safeguards to ensure its independence from the executive branch.
- Bulk Data Collection: The Court noted that, under U.S. law, signals intelligence activities are subject to ex post judicial review, aligning with the requirements set out in Schrems II.
Consequently, the General Court upheld the Commission’s adequacy decision, affirming that the U.S. provides an adequate level of protection for personal data transferred from the EU.
Implications for Businesses
This ruling has significant implications for businesses engaged in transatlantic data flows:
- Legal Certainty: Companies can continue to rely for now on the decision to transfer personal data to the U.S. if within the stipulations of the Data Transfer Framework (DTF).
- Ongoing Compliance: The Commission is required to monitor the application of the legal framework continuously. If there are changes in U.S. law that affect data protection, the Commission may suspend, amend, or repeal the adequacy decision.
- Litigation Risks: While the General Court upheld the adequacy decision, the possibility of further legal challenges remains. Businesses should stay informed about potential developments and be prepared to adjust their data transfer practices accordingly.
Conclusion
The General Court’s decision provides a degree of stability for businesses involved in EU–U.S. data transfers. However, the dynamic nature of data protection law necessitates ongoing vigilance. Companies should continue to monitor legal developments and ensure that their data transfer mechanisms remain compliant with both EU and U.S. regulations.
