In our article dated July 10, 2023 [Link] , we reported on the European Commission’s new adequacy decision on the EU-US Data Privacy Framework (DPF). The aim of the DPF was to remedy the shortcomings identified by the ECJ in its Schrems I (Safe Harbor) and Schrems II (Privacy Shield) rulings. At that time, the focus was primarily on the far-reaching powers of US security authorities and the lack of effective legal protection for EU citizens. Executive Order 14086 and the establishment of the Data Protection Review Court (DPRC) were intended to address these criticisms.
Now, on September 3, 2025, the Court of Justice of the European Union has confirmed the Commission’s adequacy decision in case T-553/23 (Latombe v. Commission) [EUR-Lex – 62023TJ0553 – EN – EUR-Lex]. The plaintiff had argued that the US still did not guarantee a “substantially equivalent” level of data protection. However, the General Court dismissed the action and found that the reforms introduced by the US – in particular the new control and legal protection mechanisms – meet the requirements of EU law (General Court, judgment of September 3, 2025 – T-553/23).
This is the first time that the court has reviewed the substance of an adequacy decision in the area of transatlantic data transfers and affirmed its legality. Particular emphasis was placed on the role of the DPRC, which, as an independent and binding authority, examines complaints from European data subjects against intelligence access in the US and can provide redress. In contrast to the expired Privacy Shield, the new US rules now provide clear guidelines on the necessity and proportionality of intelligence measures.
For companies, the ruling initially means legal certainty: as long as US partner companies participate in the DPF and are certified, data transfers can be based on this. Nevertheless, the obligation to carefully review remains. Transfer Impact Assessments (TIAs), technical safeguards (e.g., encryption), and documentation of the safeguards used are still required to meet the requirements of the GDPR.
It remains to be seen whether the final word has already been spoken. An appeal against the decision of the General Court can be lodged with the ECJ. In view of the criticism from data protection organizations, it is to be expected that the DPF will also be subject to further review by the ECJ. Until then, however, the ruling provides a solid basis for transatlantic data transfers.
Conclusion: With the confirmation by the General Court, the DPF has passed its first legal test. Unlike after the abrupt end of Safe Harbor and Privacy Shield, companies can now rely on stable framework conditions for the time being. Nevertheless, it is advisable to closely monitor further developments and not to base existing compliance processes solely on the DPF, but to secure them with supplementary measures.
