The EU-US Data Privacy Framework has passed its first test

On September 3, 2025, the General Court of the European Union (GCEU) confirmed the legality of the new EU-US Data Privacy Framework. It thus dismissed an action seeking annulment of the underlying adequacy decision of the European Commission (EC). For the time being, data transfers from the EU to the US remain on a secure legal basis for US companies that have joined the framework. This makes it easier for many users to use American services and technologies that involve the transfer of personal data to the US.

Background

According to Sections 44 et seq. of the General Data Protection Regulation (GDPR), the transfer of personal data to the US is generally only permissible under data protection law if, apart from certain exceptional cases, it is based either on an adequacy decision by the EU Commission or on appropriate safeguards, such as, in particular, the Standard Contractual Clauses (SCC).

In the Schrems I and Schrems II judgments, the European Court of Justice (ECJ) declared the two previous adequacy decisions for the US to be invalid. The reason was that they did not guarantee a level of protection for fundamental rights and freedoms comparable to that provided by EU law. In particular, criticism was levelled at the extensive surveillance activities of the US intelligence services and the inadequate legal protection for EU citizens in the US.

Prior to the current adequacy decision by the EU Commission on July 10, 2023, data transfers from the EU to the US were therefore often costly and legally uncertain. The new adequacy decision is a response to regulatory progress in the US: on October 7, 2022, the United States issued Executive Order 14086, which tightened data protection safeguards for the activities of US intelligence services. This was supplemented by a regulation issued by the Attorney General (28 CFR Part 201), which governed the establishment and operation of the Data Protection Review Court (DPRC). The DPRC serves as a legal remedy mechanism for complaints from EU citizens about US authorities' access to their data.

Nevertheless, French MP Philippe Latombe, as a user of various IT platforms that enabled the transfer of his personal data to the US, felt that several of his fundamental and data protection rights had been violated and filed a lawsuit to have the adequacy decision overturned. In particular, he criticized that the newly created DPRC was not a sufficiently independent court and that US intelligence agencies could continue to view and collect personal data on a large scale without prior authorization by a court or an independent administrative authority.

Decision of the General Court

The Court has now ruled that the DPRC has sufficient institutional and procedural safeguards to ensure its independence and impartiality. The judges of the DPRC are appointed for a fixed term, may not hold government office during that term, may only be dismissed for good cause, and their decisions are binding on both the US government and the intelligence services.

The independence of the DPRC is further strengthened by several other factors. The judges are appointed by the Attorney General, must meet the same strict criteria as federal judges, and have relevant legal experience. In addition, they may not have been employees of the executive branch at the time of their appointment or in the two years prior to it. Furthermore, the DPRC's decisions are final and binding on all intelligence services and the US government.

The fact that the Civil Liberties Protection Officer (CLPO), who reports to the Director of National Intelligence as part of the executive branch, conducts the initial review of a complaint about a possible violation of data protection rights does not, in the court's view, affect the independence of the DPRC. The DPRC has the power to review the CLPO's decisions completely independently and, if necessary, to overturn them.

On the subject of mass data collection, the court summarized that the Schrems II ruling did not require mandatory prior approval by an independent body, but at least subsequent judicial review. This is precisely what is provided for in the new system. The surveillance measures of the US intelligence services can be reviewed retrospectively by the Data Protection Review Court (DPRC) and corrected if necessary.

The General Court therefore did not agree with the plaintiff's argument and dismissed his action in its entirety. Nevertheless, the plaintiff still has the option of appealing to the European Court of Justice (ECJ) as the next instance. Regardless of this, the decision represents a noticeable relief for companies for the time being.

Despite the relief that the EU-US Data Privacy Framework can offer for data transfers to the US if a US company has joined the framework, companies should always keep an eye on the legal requirements and potential risks associated with the transfer of personal data, especially to third countries. The IP-IT data protection team at BINDER GRÖSSWANG is available to answer specific questions or provide support with legal implementation.

Please note: This blog is for general information purposes only and in no way constitutes legal advice from Binder Grösswang Rechtsanwälte GmbH. The blog cannot replace individual legal advice. Binder Grösswang Rechtsanwälte GmbH accepts no liability of any kind for the content and accuracy of the blog.