European General Court Upholds EU-U.S. Data Protection Framework

On September 3, 2025, the General Court of the European Union upheld the validity of the EU-U.S. Data Protection Framework (DPF), following a call for its annulment brought by a French citizen.

French Member of Parliament Philippe Latombe, who also sits on the board of the French data protection authority, the Commission Nationale de l’Informatique et des Libertés, brought an action, in his personal capacity, in the General Court of the European Union calling for the annulment of the DPF. The General Court (also known as the European General Court (EGC)), along with the European Court of Justice (ECJ), make up the Court of Justice of the European Union (CJEU). The EGC is the junior of the two, and its decisions may be appealed to the ECJ.

The DPF is the successor to the EU-U.S. Privacy Shield (the Privacy Shield), which was declared invalid in 2020 by the CJEU following litigation by privacy advocate Maximilian Schrems, acting through not-for-profit NOYB (none of your business), in the landmark case Schrems II. The Privacy Shield was the successor to the EU-U.S. Safe Harbor Framework, which was declared invalid in 2015 following Schrems I. In response, the United States established the Data Protection Review Court (DPRC). The European Commission approved the DPF in July 2023.

Latombe challenged the DPF on the basis that the DPRC did not provide European data subjects with an independent and impartial means of redress since it was a “para-judicial body dependent on the executive.” The EGC did not accept this argument, finding instead that there were a number of safeguards in place to ensure that the DPRC operates independently and impartially. In addition, the European Commission is required to continuously monitor the legal framework on which its adequacy decision in favor of the DPF was based. Accordingly, if the legal framework in the United States were to change, the European Commission could decide to suspend, amend, or repeal the decision, or limit its scope.

Latombe further argued that U.S. intelligence agencies’ bulk collection of personal data in transit from the EU, without prior authorization from a court or independent administrative authority, is indiscriminate and hence illegal. The EGC rejected this argument on the basis that nothing in Schrems II required prior authorization by an independent authority, and that any bulk collection is subject to judicial oversight by the DPRC.

The EGC observed that the requirement of the GDPR in relation to third countries to which personal data is transferred is that the third country provides a level of protection that is “essentially equivalent” to that of the European Union, although how this is achieved need not be identical. In other words, third countries (such as the United States) may achieve the same level of protection as the EU, but by different means.

The EGC also observed that, according to case law, the legality of an EU measure must be assessed on the basis of the facts and the law as they stood at the time of the decision. Accordingly, subsequent developments should not affect the validity of the earlier decision.

The EGC’s decision will be welcomed by the 3,400 U.S. companies that rely on the DPF to transfer personal data from the EU. However, the implications of the decision are not limited to businesses that have self-certified to the DPF; multinationals that rely on the EU Standard Contractual Clauses to transfer personal data from the EU to the United States also must carry out a transfer risk assessment, which, following the EGC decision, can continue to refer to the European Commission’s adequacy decision for the DPF in establishing that the United States provides an adequate level of protection for personal data.

The EGC’s decision reinforces the validity of the DPF, but Philippe Latombe may still appeal to the ECJ. In addition, Maximilian Schrems has criticized the level of protection ensured by the DPF since its adoption, and indicated that he would be challenging the decision, though this has not yet materialized.

Please contact the author of this Blog or your principal Arnold & Porter contact if you have any questions about this Blog or privacy compliance more generally.

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.