EGC confirms EU-US Data Privacy Framework: What companies must now consider

The EGC has confirmed the EU-US Data Privacy Framework.
Categories:
, ,
Picture of Aristotelis Zervos

Aristotelis Zervos

Aristotelis Zervos, Editorial Director at 2B Advice, combines legal and journalistic expertise in Data protectionIT compliance and AI regulation.

On September 3, 2025, the General Court of the European Union (General Court) issued an important ruling on transatlantic data protection in case T-553/23 (Latombe v. Commission). In its judgment, the General Court dismissed the action against the Appropriateness decision of July 10, 2023, thus confirming the validity of the EU-US Data Privacy Framework. For companies in the EU, this means legal certainty for the time being with regard to the Transmission of personal data to the United States. However, companies are still obliged to actively manage the transfer of data to the USA.

EU-US Data Privacy Framework put to the test

The ECJ ruling builds on a long legal history. Following the ECJ rulings "Schrems I" (2015) and "Schrems II" (2020), the former data protection frameworks "Safe Harbor" and "Privacy Shield" declared invalid.

Because the Transmission The transfer of personal data from the EU to third countries is subject to strict standards that are enshrined in Art. 8 (1) of the EU Charter of Fundamental Rights and Art. 16 (1) TFEU. On this basis, the GDPR (Art. 45 et seq.) stipulates that data transfers are permitted without further authorization if the Commission determines that the third country in question has an adequate level of data protection.

With Implementing Decision (EU) 2023/1795, the Commission has affirmed such a level of protection for the USA. In particular, the reforms introduced by Presidential Decree 14086 and accompanying measures by the US Attorney General were decisive for this. These measures strengthen data protection in the area of intelligence services and establish a new judicial supervisory body: the Data Protection Review Court (DPRC). This independent supervisory body is intended to guarantee effective legal protection for EU data subjects.

Tip: How Ailance DSFA guides you through your data protection impact assessment in a structured and legally compliant manner

Plaintiff takes action against adequacy decision

The plaintiff, who is a French national Philippe Latombeapplied for the annulment of the decision. He based his action essentially on two arguments:

  1. Lack of independence of the DPRCHe argued that the new data protection court was not independent, but dependent on the executive.

  2. Unlawful collection of data by US intelligence agenciesHe criticized the practice of the US authorities, personal data without prior authorization is not regulated with sufficient precision and is therefore unlawful.

EGC rejects objections to EU-US Data Privacy Framework

On the independence of the DPRC

The EGC rejected this objection. The appointment of judges is linked to guarantees and their dismissal is only possible for valid reasons. In addition, the influence of the executive was limited by procedural safeguards. Institutional independence was therefore sufficiently guaranteed.

On the collection of personal data

The court also rejected the second plea. It clarified that the judgment Schrems II does not mean that every form of collective collection necessarily requires prior approval by an independent authority. Rather, the decisive factor is that subsequent judicial review is possible. This is now guaranteed in the USA by the DPRC, so that there is a level of protection that is essentially equivalent to that in Europe.

First test after Schrems I and II

With its decision, the EGC has, for the first time since the two Schrems rulings, recognized a transatlantic Appropriateness decision confirmed. At the same time, the court confirmed that the USA has a functioning control system, which should dispel the previous concerns.

However, it remains critical that the assessment depends heavily on the practical effectiveness of the DPRC. If it turns out that the control mechanisms do not meet the requirements in practice, the ECJ could intervene again to correct the situation by means of an appeal.

The ECJ ruling has great practical significance: it confirms that the USA is currently a member state of the EU. GDPR offer an essentially equivalent level of data protection. The European Commission nevertheless remains obliged to monitor the actual implementation of the framework on a regular basis and to monitor the Appropriateness decision for the USA if necessary.

An appeal against the ruling can still be lodged with the ECJ.

Tip: Control all AI projects centrally, audit-proof and legally compliant with Ailance AI Governance

Data transfer to the USA must still be managed: What companies need to be aware of

Even if the Appropriateness decision USA creates legal certainty, companies are still obliged to actively manage the transfer of data to the USA. The decision releases Responsible persons not be released from their accountability and documentation obligations under the GDPR.

Companies should pay particular attention to the following points:

  • Fulfilling transparency obligations: Affected parties must be informed clearly and comprehensibly when their data is transferred to the USA.
  • Data minimization checkOnly the data required for the respective purpose should be transmitted.
  • Securing contracts: Even with a Appropriateness decision it is advisable, Standard contractual clauses and additional protective measures, especially when data is forwarded to subcontractors.
  • Checking the recipientsCompanies should regularly check whether their US service providers are actually certified under the EU-US Data Privacy Framework.
  • Implementing risk managementInternal processes and technical measures must ensure that data protection requirements are also met for transatlantic data flows.


This means that the transfer of data to the USA remains legally simpler, but still requires active compliance and risk management.

Source: Judgment of the European Court of Justice in Case T-553/23 (Latombe v Commission)

Making data transfer legally compliant with Ailance

Complying with data protection obligations when transferring data to the USA can be complex. Especially when companies work with many different service providers. With Ailanceyou always have an overview:

  • Automated monitoring of data transfers
  • Documentation of all data protection measures
  • Risk assessment and recommendations for action in real time
  • Seamless integration into existing processes


Find out more about Ailance and manage your data transfer in a legally compliant manner!

Aristotelis Zervos is Editorial Director at 2B Advice, a lawyer and journalist with profound expertise in data protection, GDPRIT compliance and AI governance. He regularly publishes in-depth articles on AI regulation, GDPR compliance and risk management. You can find out more about him on his Author profile page.

Contact us
Tags:
, , ,
Share this post :

Popular categories

Newsletter

Subscribe to our data protection newsletter to receive the latest updates, tips and insights straight to your inbox.
Subscribe

Latest posts