Case Report: EU-US Data Privacy Framework Survives Attack In Court (Latombe v. Commission)
French citizen challenges EU-US data privacy deal, claiming weak oversight and excessive US surveillance powers.
The latest controversial judgment of the General Court in Latombe v Commission represents a decisive moment in the ongoing contest over transatlantic data transfers between the US and EU. The Court has endorsed the European Commission’s adequacy decision, validating the EU-US Data Privacy Framework. Critics will argue that the Court has accepted surveillance safeguards that remain contested and has closed its eyes to fundamental weaknesses.
🏛️ Court: Court of Justice of the European Union (CJEU)
🗓️ Date: 3 September 2025
🗂️ Case Number: Case T-553/23
EU Court Confirms Validity of the New EU-US Data Privacy Framework
The General Court of the European Union has delivered its judgment in Latombe v Commission (T-553/23), a case that challenged the legality of the European Commission’s adequacy decision for personal data transfers to the United States.
The Court’s ruling on 3 September 2025 confirms the continued validity of the EU-US Data Privacy Framework, which had been adopted by the Commission in July 2023.
This case is significant because it represents the latest legal examination of transatlantic data flows following the high-profile annulments of previous frameworks in Schrems I (2015) and Schrems II (2020).
In contrast to those earlier judgments, the General Court has chosen not to intervene this time.
Organisations engaged in cross-border data transfers and individuals concerned about privacy rights, will be reassured with this court decision.
Here is why.
Background to Latombe v Commission
The protection of personal data is enshrined in Article 8 of the Charter of Fundamental Rights of the European Union and Article 16 of the Treaty on the Functioning of the European Union.
These provisions underpin the General Data Protection Regulation (GDPR), which sets out rules for data transfers outside the Union.
Under the GDPR, the European Commission may issue an adequacy decision if it determines that a third country ensures a level of protection essentially equivalent to that within the Union.
Such a decision allows personal data to flow without additional authorisation.
The contested adequacy decision of July 2023 was adopted after the United States introduced new safeguards.
In particular, Executive Order 14086 and an Attorney General regulation created a new oversight body, the Data Protection Review Court (DPRC), and restructured rules governing intelligence agencies’ access to personal data.
These reforms were intended to address the concerns identified in Schrems II, where the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield framework on the grounds that US law did not provide adequate safeguards against surveillance practices.
The Challenge by Philippe Latombe
Philippe Latombe, a French national and regular user of online platforms that process and transmit his personal data to the United States, challenged the European Commission’s adequacy decision of 10 July 2023.
His legal action before the General Court sought annulment of the decision, arguing that the newly established framework failed to guarantee the protection of his rights under EU law.
Latombe advanced two principal claims.
First, he maintained that the Data Protection Review Court (DPRC), the oversight mechanism created under Executive Order 14086 and subsequent Attorney General regulation, lacked genuine independence.
In his view, the DPRC was embedded in the executive branch of the US government and therefore subject to political or institutional pressures.
He argued that such dependence would prevent the body from serving as an impartial tribunal capable of safeguarding the rights of EU citizens whose data is transferred overseas.
Second, Latombe raised concerns about the powers of US intelligence agencies.
He contended that their ability to engage in bulk collection of data in transit from the European Union was not bounded by clear and precise rules.
According to him, the absence of prior authorisation from an independent court or administrative authority rendered these surveillance practices unlawful and incompatible with the standard of fundamental rights protection demanded under EU law.
Latombe’s challenge was firmly rooted in the history of transatlantic data transfers.
Both the Safe Harbour and Privacy Shield frameworks had previously been annulled in the Schrems I and Schrems II cases, precisely because US surveillance powers were considered excessive and inadequately checked.
By drawing parallels, he sought to persuade the Court that the European Commission’s new adequacy decision suffered from the same structural flaws and that individuals’ personal data remained exposed to disproportionate collection and insufficient judicial protection.
The General Court’s Reasoning
The General Court dismissed the action in its entirety.
On the independence of the DPRC, the Court emphasised that the appointment and functioning of its judges are subject to safeguards designed to prevent undue influence.
Judges may only be dismissed for cause, and neither the Attorney General nor intelligence agencies may improperly interfere in their work.
On that basis, the Court concluded that the DPRC enjoys sufficient independence and impartiality.
On the question of bulk data collection, the Court clarified that nothing in Schrems II required prior authorisation of such collection by an independent authority.
What is essential is that ex post judicial review must be available.
According to the Court, US law provides that oversight through the DPRC, which can review decisions and ensure compliance.
As a result, the Court found that US practices do not fall below the standard of essential equivalence with EU law.
The Court also stressed that the Commission remains under a duty to monitor developments in US law.
If future changes undermine the adequacy of protection, the European Commission has the power to suspend, amend, or repeal the decision.
Why This Case Matters
This judgment has immediate implications for businesses, regulators, and individuals.
Companies engaged in transatlantic commerce gain reduced uncertainty from the confirmation of the framework, which allows data transfers to continue under a recognised legal basis.
The ruling reinforces for regulators the idea that adequacy decisions must be continuously monitored rather than treated as permanent guarantees.
The decision also demonstrates a more pragmatic approach by the EU courts after the strict stance in Schrems I and Schrems II.
The General Court accepted the European Commission’s assessment that new US safeguards are sufficient for now.
This suggests a recognition of the diplomatic and economic importance of stable data transfer mechanisms.
Further Points to Consider
Several points deserve attention:
Legal certainty: The judgment means that transfers under the EU-US Data Privacy Framework remain valid. Businesses relying on this mechanism can proceed with greater confidence.
Ongoing compliance: Adequacy does not relieve controllers or processors from their responsibilities under the GDPR. Technical and organisational safeguards must remain in place, and accountability mechanisms must be maintained.
Risk awareness: The Court’s reliance on ex post oversight rather than prior authorisation means that individuals may still be subject to surveillance before any review occurs. Businesses must be mindful of public concerns and reputational risks even if the framework is legally valid.
Future challenges: The possibility of an appeal to the CJEU remains open. Moreover, civil society organisations or individuals may continue to test the resilience of the framework through further litigation.
The judgment illustrates how fundamental rights are assessed in a practical context.
The Court did not deny the existence of surveillance practices but accepted the safeguards as adequate in light of EU standards.
Awareness of how personal data may circulate internationally is essential for users of digital platforms.
While the General Court has provided clarity, the issue is unlikely to disappear.
An appeal limited to points of law may be filed before the Court of Justice within two months and ten days.
If such an appeal is made, the CJEU will again scrutinise whether the level of protection in the United States truly matches that required under EU law.
Even if the adequacy decision survives, it will remain subject to continuous review by the European Commission.
The transatlantic dialogue on data protection will continue, shaped by legal, political, and technological developments.
For now, the ruling allows stakeholders on both sides of the Atlantic to operate with a recognised framework in place.
The importance of data transfers for trade, research, and innovation means that this outcome provides stability that is both welcome and necessary.
Conclusion
The Latombe v Commission judgment demonstrates the General Court’s acceptance of the European Commission’s assessment of the new US safeguards.
By confirming the adequacy of protection, the Court has upheld a vital mechanism for international data flows.
The decision reflects a careful balance between rights and realities, law and practice.
The key message is to engage constructively with these frameworks, respect GDPR obligations, and remain prepared for further legal or regulatory developments.
The Court’s judgment does not end the debate, but it does provide a workable legal basis at a time when certainty is essential.
Businesses should continue to document their data transfer practices, review their compliance programmes, and monitor the European Commission’s periodic assessments.
Individuals should remain informed about their rights and the mechanisms available to exercise them.
Regulators should maintain vigilance to ensure that the adequacy decision continues to meet the high standard of protection required by EU law.
This ruling will not end the debate on transatlantic data transfers, and its implications will continue to unfold. Legal arguments, policy choices, and commercial realities remain tightly bound. I welcome your thoughts on whether the Court has drawn the right line between privacy and practicality. Share your reflections in the comments and join the conversation.
Access our EU AI Tracker here to monitor the latest developments in EU artificial intelligence laws and regulations.
I remember reading the Schrems cases many years ago. In light of the annulments in Schrems I and Schrems II, do you think this adequacy decision will survive long term, or should we prepare for another cycle of legal uncertainty over data transfers? This is so frustrating.