On September 3, 2025, the General Court of the European Union dismissed Philippe Latombe's appeal against the adequacy decision for the EU-US Data Privacy Framework (DPF). This upholds the DPF as a basis for transfers of personal data to US-based organizations listed on the DPF register.
Important ruling: For lawyers and privacy teams, this is an important milestone. After years of uncertainty following Schrems I and II, there is clarity again, albeit with caveats and points of attention for practice.
The core: why this ruling matters
The DPF is the successor to Safe Harbour and Privacy Shield, which were declared invalid by the Court of Justice in 2015 and 2020. In Latombe v. Commission, the General Court confirms that the United States, at the time of establishing the decision of July 10, 2023, offered a level of protection "essentially equivalent" to EU law for transfers to DPF-certified organizations.
The Court also points out that the European Commission has a duty to continuously monitor the application of the underlying US framework and, where necessary, suspend, modify or withdraw the decision. This makes the DPF not a one-time set-and-forget solution, but a dynamic framework that can be adjusted if facts or legislation change.
Source: For the full ruling, see the official publication of the General Court.
What the Court specifically reviewed
The attack on the DPF focused mainly on two pillars: the independence of the Data Protection Review Court (DPRC) as a remedy for legal protection, and the American practice of "bulk collection" by intelligence services.
Independence of the DPRC
According to Latombe, the DPRC would not be independent because it is embedded in the US executive branch. The Court looks at safeguards in the appointment and dismissal regime of DPRC judges, and at the conditions under which they do their work. It judges that these safeguards are sufficient and that the Commission could reasonably conclude that the DPRC functions independently.
This aligns with the US implementation of Executive Order 14086 (October 7, 2022) and the subsequent Attorney General rules that legally established the DPRC. The Federal Register publication and the CFR regulation provide legal foundation for this.
Bulk collection and oversight
Important nuance
The Court emphasizes that Schrems II does not require that bulk collection must always be approved in advance by an independent authority. At minimum, there must be judicial review after the fact.
According to the Court, the file showed that activities of US intelligence services are subject to ex post judicial control, including through the DPRC. Therefore, US law met the standard of "essential equivalence" on this point.
Finally, the Court points out that there is a continuous supervisory duty with the Commission. If the US framework changes, the Commission can intervene by limiting, modifying or withdrawing the decision. This builds a safety valve into the ruling for future developments.
The legal anchor: adequacy decision 2023/1795
The Commission based the DPF on Implementing Decision (EU) 2023/1795 of July 10, 2023. That decision explicitly states that transfers to organizations on the DPF list may take place without additional consent, within the limits of the GDPR framework.
It also establishes that the Commission conducts periodic reviews. For organizations, this means that with a DPF-certified recipient, the transfer basis is in principle "established," provided all other GDPR obligations are properly secured. Think of transparency, data minimization, processor agreements and data subject rights.
What this means for EU organizations
For many organizations, the DPF is the simplest route for transfers to certain US service providers. Think of cloud and SaaS suppliers for CRM, HR, email, document management, translation and AI services.
Practical implementation
In practice, it works as follows: you check whether your US recipient is on the official DPF participants list and whether the scope fits your data streams (for example HR data or commercial data). You then conclude appropriate processing and transfer agreements and update your register and privacy statement.
The DPF does not replace the GDPR; it only handles the transfer basis. However, remain alert to situations where the DPF does not apply, for example because the US party is not certified, or because your data is further transferred after receipt to parties outside the DPF scope.
Note: In such cases, you fall back on other instruments, such as standard contractual clauses (SCCs) and a Transfer Impact Assessment. That TIA work is often easier to substantiate through Executive Order 14086 and the establishment of the DPRC, but not unnecessary.
Example from practice
Consider: a Dutch media company uses a US tool for content creation with built-in generative AI. The supplier is on the DPF list for commercial data. The company can base the transfer on the DPF, provided it has mapped its processor agreement, instructions and sub-processor chain.
Because the tool contains AI functionality, it is wise to also check whether training data or model telemetry ends up outside the DPF scope. If the supplier works with sub-processors for components that are not DPF-certified, an additional basis (such as SCCs) is still needed and a TIA belongs in the file.
Here it helps that the DPRC exists as a second-line facility for complaints, with appointed judges and rules of procedure that support independence.
What does supervisory practice say?
The European Data Protection Board (EDPB) conducted the first review in November 2024. The EDPB appreciated the progress in the US, but also pointed to important areas of concern.
EDPB points of concern
The EDPB mentioned various points that deserve monitoring:
- The low number of complaints in the first year
- Need for more ex officio supervision by US authorities on compliance with DPF principles
- Clarification of "HR data" under the DPF
- Careful monitoring of the practical functioning of the DPRC
- Application of necessity and proportionality in intelligence collection
For organizations, the lesson is that the legal basis may be in order, but documentation, chain agreements and transparency remain critical.
Implications for AI applications and data-driven services
Many European organizations are exploring or using generative AI services hosted in the US. When the provider is DPF-certified, this lowers the transfer threshold for prompt content, user metadata and output storage.
Continuing points of attention with AI
However, relevant questions remain that require clarification in your processor agreement and usage settings:
- Are data used for model improvement, and if so under what conditions
- Which sub-processors provide GPU infrastructure or moderation
- Are there telemetry or support streams outside the DPF scope
These points require factual inquiry and clarification. The advantage of the ruling is that the fundamental discussion about adequacy does not halt everything; the focus shifts to concrete risk management in the chain.
Continuing uncertainty and the legal process
The case is not definitively over. An appeal against the General Court's judgment is open to the Court of Justice, but only on points of law. The deadline for this is two months and ten days from notification of the decision. This means there can still be legal developments.
At the same time, the ruling today does provide support for basing transfers on the DPF, as long as the factual and legal foundation in the US continues to suffice and the Commission fulfills its monitoring task.
Approach for your organization
Those working with US suppliers today can follow the path below without falling into paperwork overload.
Step-by-step approach
Start at the source: is the supplier on the DPF list, and does the certification cover the applicable data domain. Record in your processor agreements what happens to data, including AI-related functionality, retention, sub-processors and transfers outside the US.
Update your privacy statement with an understandable explanation of international transfers based on the DPF and data subject rights. Keep your TIA notes handy, even when using DPF, and refer to the safeguards from Executive Order 14086 and the DPRC arrangement that the Court explicitly considered relevant.
For suppliers not yet DPF-certified, continue using your SCCs and additional measures and assess whether US safeguards are sufficient in practice.
Practical implementation
Don't limit yourself to checking boxes. The EDPB findings show that practical compliance requires attention, especially with onward transfers and sector-specific risks. Conduct spot checks on logging and sub-processors, ask for a current list of DPF participants in the chain and document choices.
Discuss with your supplier whether data for model improvement remains outside your tenant, and give users control over export and deletion. This prepares you for audits and keeps you credible toward data subjects.
Final reflection
The ruling in Latombe v. Commission sets a clear benchmark: at the assessment date of the decision, the Commission could reasonably conclude that the US, with EO 14086 and the DPRC, offered sufficient safeguards for transfers to DPF-certified organizations. This makes the transfer practice workable.
Living system
At the same time, it is a living system that moves with legislative and factual changes, and where supervision and future procedures are part of it. For lawyers, DPOs and AI product teams, the task is clear: use the space available, document carefully and keep monitoring.
This is precisely where a mature privacy program distinguishes itself in the coming period. The ruling provides not only legal certainty, but also a framework for proactive compliance in a rapidly changing technological environment.
Relevant external sources:
- Reuters: EU court backs latest data transfer deal agreed by US, EU
- Curia: Official EU General Court ruling
- Federal Register: Executive Order 14086
Would you like to know more about implementing the DPF in your organization or help with Transfer Impact Assessments? Contact us for a personal consultation.