Why the EU General Court's Ruling on the EU‑U.S. Data Privacy Framework Is Crucial for U.S. Businesses

On September 3, 2025, the European Union General Court (EGC) dismissed a legal challenge to the EU-U.S. Data Privacy Framework (DPF) – a first in these types of challenges typically brought by privacy activists. This decision brings renewed clarity to cross‑border data transfers and offers tangible advantages to U.S. business entities.

What This Means for U.S. Businesses

Over the past 10 years, the EU has taken a hard look at three different agreements meant to allow personal data to flow legally between Europe and the U.S. The first two – Safe Harbor in 2015 and Privacy Shield in 2020 – were struck down by the EU courts. This decision is different. It keeps the current DPF in place, giving businesses on both sides of the Atlantic a much-needed sense of stability. That’s especially important right now, as the two regions continue to work through differences in how they regulate data and digital trade. Key outcomes of the ruling:

Stability in legal landscape: Over 3,400 U.S. companies that rely on the DPF – such as those using cloud services, transferring payroll or HR data or operating EU‑U.S. enterprise tools – can continue their data flows without interruption. The ruling ensures continued confidence across sectors including finance, tech, pharmaceuticals and manufacturing.
Extended reliance on adequacy decisions: Businesses using Standard Contractual Clauses (SCCs) or other mechanisms can still reference the DPF adequacy decision as supporting evidence in data protection impact assessments required under the General Data Protection Regulation (GDPR).
Ongoing Commission vigilance: With the European Commission tasked with continuous monitoring of U.S. data protection standards, any legislative or structural shifts in the United States could prompt amendments – or even suspension – of the adequacy finding. Proactive businesses should stay alert.
Legal risks persist: The plaintiff has the option to appeal to the Court of Justice of the EU (CJEU). Privacy advocates remain vocal, suggesting more legal scrutiny could follow.

The Essentials of the Case

What Happened

Philippe Latombe, a French citizen in his personal capacity, but also a Member of Parliament, and board member of the French Data Protection Authority CNIL, challenged the European Commission’s 2023 adequacy decision, which recognized that the DPF ensures “adequate” protection for EU citizens’ personal data being transferred to the U.S. Latombe’s claims against the framework – centered on two main concerns – were fully rejected by the court.

Latombe’s challenges focused on:

The independence and impartiality of the U.S. Data Protection Review Court (DPRC), the body set up to review intelligence-related data collection.
Bulk data collection practices conducted by U.S. agencies without prior authorization.

The court concluded that the DPRC incorporates sufficient safeguards – such as structured appointment rules, limited grounds for dismissal and insulation from executive interference – to qualify as independent and impartial. It also determined that retrospective judicial oversight of bulk data collection is consistent with EU standards and that the amount of protection – though not method – is what counts.

Additionally, the EGC emphasized that its review applies to the legal landscape at the moment the adequacy decision was made – meaning any future changes in U.S. law would need to be monitored and could trigger revisions to the framework.

What’s Next?

It’s still unclear if or when an appeal might happen – and how the courts might respond to recent developments in U.S. privacy oversight. One open issue is the removal of Democratic members from the U.S. Privacy and Civil Liberties Oversight Board, a key part of the privacy protections built into the current framework. That dispute is still making its way through U.S. courts and could influence future legal challenges in the EU.

EU privacy activist Max Schrems, who successfully challenged the two prior EU-U.S. data transfer agreements, has voiced concerns about this decision. He argues that the court overlooked important aspects of U.S. surveillance law and believes a broader legal challenge could eventually lead to a different outcome. His team is actively considering next steps, and Schrems has warned that while this ruling gives the EU-U.S. deal more time, it doesn’t resolve the uncertainty that still exists for both businesses and individuals.

If you have any questions about how this ruling may impact your business, please contact Megan Miller, Chiara Portner, or your regular Lathrop GPM attorney.

Cookie	Duration	Description
__cf_bm	1 hour	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
_cfuvid		Calendly sets this cookie to track users across sessions to optimize user experience by maintaining session consistency and providing personalized services
algoliasearch-client-js	1 year	Necessary in order to optimize the web site's search-bar function . The cookie ensures accurate and fast search results.
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
rc::a	Never Expires	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
rc::c		This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
ASPSESSIONIDQWBCSSBS	1year	Description is currently not available. Vuture is a third-party subscription tool used to send updates if you opt in to provide information to subscribe.
YSC	1 year	Youtube sets this cookie to track the views of embedded videos on Youtube pages.
ytidb::LAST_RESULT_ENTRY_KEY	Never Expires	The cookie ytidb::LAST_RESULT_ENTRY_KEY is used by YouTube to store the last search result entry that was clicked by the user. This information is used to improve the user experience by providing more relevant search results in the future.

Cookie	Duration	Description
_ga	1 year	Registers a unique ID that is used to generate statistical data on how the visitor uses the web site.
_ga_#	1 year	Used by Google Analytics to collect data on the number of times a user has visited the web site as well as dates for the first and most recent visit.
vuid	1 year	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos on the website.

Cookie	Duration	Description
VISITOR_INFO1_LIVE	6 months	YouTube sets this cookie to measure bandwidth, determining whether the user gets the new or old player interface.
VISITOR_PRIVACY_METADATA	6 months	YouTube sets this cookie to store the user's cookie consent state for the current domain.
yt.innertube::nextId	1 year	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	1 year	YouTube sets this cookie to register a unique ID to store data on what videos from YouTube the user has seen.