EU court dismisses challenge to US data privacy framework in Latombe case

The European General Court dismissed on September 3, 2025, an action seeking to annul the EU-US Data Privacy Framework that permits personal data transfers between Europe and the United States. French Member of Parliament Philippe Latombe had challenged the framework's validity, arguing that American oversight mechanisms lack sufficient independence and that bulk data collection practices violate European privacy standards.

According to the Court's press release, "the General Court dismisses the action for annulment." The ruling affirms the European Commission's July 10, 2023 adequacy decision establishing the third iteration of transatlantic data transfer arrangements following two previous frameworks invalidated in the landmark Schrems I and Schrems II cases.

Latombe, who represents Vendée's first constituency in the French National Assembly, filed the case on September 6, 2023. The 50-year-old politician, who previously worked with Deloitte and Crédit Agricole before joining the Democratic Movement party in 2017, serves on Parliament's Committee on Legal Affairs and co-chairs a fact-finding mission on video surveillance in public spaces.

Court rejects independence claims

The General Court addressed two primary arguments raised by Latombe. Regarding the Data Protection Review Court (DPRC), which serves as the oversight body for intelligence activities affecting EU citizens, the court found that "the appointment of judges to the DPRC and the DPRC's functioning are accompanied by several safeguards and conditions to ensure the independence of its members."

According to the ruling, "judges of the DPRC may be dismissed only by the Attorney General and only for cause, and the Attorney General and intelligence agencies may not hinder or improperly influence their work." The court rejected Latombe's argument that the DPRC lacks independence from the executive branch.

The Commission established the framework through Implementing Decision (EU) 2023/1795, which permits EU organizations to transfer personal data to certified US companies without additional authorization. This mechanism replaced the Privacy Shield arrangement, which the Court of Justice invalidated in July 2020 following privacy concerns raised by Austrian activist Max Schrems.

Bulk collection standards upheld

On Latombe's second major argument concerning bulk collection of personal data by US intelligence agencies, the General Court determined that prior authorization from an independent authority is not required under European law. The court stated that "there is nothing in Schrems II to suggest that that collection must necessarily be subject to prior authorisation issued by an independent authority."

Instead, the court found that "the decision authorising such collection must, at a minimum, be subject to ex post judicial review." According to the judgment, US law provides for ex post judicial oversight by the DPRC, meeting the requirements established in the Schrems II precedent.

The court concluded that "the bulk collection of personal data by American intelligence agencies" does not "fall short of the requirements arising from Schrems II" and that US law ensures "a level of legal protection that is essentially equivalent to that guaranteed by EU law."

Legal framework origins

The current framework emerged from regulatory developments following the Schrems II ruling. On October 7, 2022, the United States adopted Executive Order 14086, which strengthened privacy safeguards for intelligence agency activities. An Attorney General Regulation supplemented this order by establishing the DPRC's operational framework.

According to the Commission's decision, these US regulatory changes addressed the fundamental rights concerns that led to the invalidation of previous data transfer arrangements. The framework applies to organizations certified under the Data Privacy Framework principles administered by the US Department of Commerce.

The General Court emphasized that the Commission maintains ongoing monitoring obligations. The court noted that "if the legal framework in force in the United States at the time of the adoption of the contested decision changes, the Commission may decide, if necessary, to suspend, amend or repeal the contested decision or to limit its scope."

Privacy advocates express disappointment

Max Schrems, the Austrian privacy activist whose previous challenges led to two framework invalidations, criticized the General Court's decision. According to a statement from his organization noyb, "This was a rather narrow challenge. We are convinced that a broader review of US law – especially the use of Executive Orders by the Trump administration should yield a different result."

Schrems highlighted concerns about the framework's reliance on executive orders rather than permanent legislation. "The Court, for example, held that the new 'Data Protection Court of Review' (DPCR) would be independent - when such independence is only guaranteed by a Presidential Executive Order and not by law," according to noyb's analysis.

The organization noted that "Trump right now removes people even when their independence is guaranteed by law." This reference relates to recent developments where the Trump administration has dismissed officials from positions traditionally considered independent, including heads of the Federal Trade Commission and Federal Reserve.

Technical implementation details

The EU-US Data Privacy Framework operates through a certification system administered by the US Department of Commerce. Companies seeking to receive European personal data must commit to data protection principles that mirror GDPR requirements, including purpose limitation, data minimization, and individual rights provisions.

According to the framework documentation, certified organizations must implement technical and organizational measures to protect personal data. These include encryption requirements, access controls, and audit procedures designed to demonstrate compliance with European standards.

The framework establishes multiple complaint mechanisms for European individuals. These include direct communication with companies, referral to national data protection authorities, and ultimate recourse to the DPRC for cases involving national security processing.

Marketing industry implications

The decision provides continued legal certainty for digital marketing operations involving EU-US data transfers. Major technology platforms and advertising companies have invested significantly in Data Privacy Framework compliance since the Commission's adequacy decision took effect in July 2023.

Marketing technology vendors typically process substantial volumes of personal data for advertising targeting, campaign measurement, and customer analytics. The framework's survival means these operations can continue without implementing additional contractual safeguards like Standard Contractual Clauses, which add complexity and legal risk to data transfer arrangements.

However, recent developments in the Trump administration have created new uncertainties for the framework's long-term viability. Executive orders reviewing Biden-era national security decisions could affect the privacy safeguards underpinning the adequacy decision.

Appeal prospects remain

The General Court's decision can be appealed to the European Court of Justice within two months and ten days of notification. According to legal experts, such an appeal would be limited to points of law rather than factual determinations.

Latombe's legal team, which includes lawyers specializing in data protection and digital rights, has not yet announced whether they will pursue an appeal. The case attracted support from Ireland and the United States as intervening parties, indicating the decision's significance for transatlantic commerce.

The judgment arrives as European data protection authorities face increasing scrutiny over enforcement consistency. Statistics from the European Data Protection Board show only 1.3% of GDPR cases resulted in fines between 2018 and 2023, raising questions about regulatory effectiveness.

Broader regulatory context

The decision comes amid broader European efforts to strengthen data protection frameworks. The European Data Protection Board has recently issued guidance on blockchain processing requirements and age verification systems, demonstrating continued regulatory attention to emerging technologies.

European regulators have also worked to address enforcement coordination challenges through new procedural regulations, though these efforts have faced criticism for creating additional bureaucratic complexity rather than streamlining processes.

The General Court's ruling in the Latombe case represents a significant validation of the Commission's approach to balancing data protection requirements with commercial necessities. However, the framework's reliance on executive assurances rather than permanent legislation continues to generate concerns about long-term stability, particularly given recent political developments in the United States.

Timeline

• July 26, 2000: Commission adopts first EU-US data transfer adequacy decision (Safe Harbor)
• October 6, 2015: Court of Justice invalidates Safe Harbor in Schrems I case
• July 12, 2016: Commission adopts Privacy Shield adequacy decision
• July 16, 2020: Court of Justice invalidates Privacy Shield in Schrems II case
• October 7, 2022: United States adopts Executive Order 14086 strengthening privacy safeguards
• July 10, 2023: Commission adopts Data Privacy Framework adequacy decision
• September 6, 2023: Philippe Latombe files annulment action at General Court
• September 3, 2025: General Court dismisses Latombe's challenge
• January 20, 2025: Trump administration initiates review of Biden-era national security decisions
• July 17, 2024: European Data Protection Board publishes Data Privacy Framework FAQ

Summary

Who: French Member of Parliament Philippe Latombe challenged the European Commission's adequacy decision for US data transfers. The European General Court issued the ruling dismissing his case.

What: The General Court rejected an annulment action against the EU-US Data Privacy Framework, which permits personal data transfers from Europe to certified US organizations without additional authorization.

When: The judgment was delivered on September 3, 2025, nearly two years after Latombe filed his challenge on September 6, 2023.

Where: The case was heard at the European General Court in Luxembourg. The framework governs data transfers between the European Union and the United States.

Why: Latombe argued that US oversight mechanisms lack independence and that bulk data collection practices violate European privacy standards. The court found these arguments unconvincing, determining that US law provides adequate protection equivalent to EU standards.