Skip to main content

Clifford Chance

Clifford Chance
All
Data<br />

Data

Talking Tech

Transatlantic Data Transfers: Where the DPF Stands Post-Latombe

Data Privacy 11 September 2025

The EU General Court’s judgment on 3 September 2025 confirms the DPF’s validity at this stage. The analysis below sets out the legal reasoning, practical implications, and next milestones.

The EU-US Data Privacy Framework (DPF) was adopted by the European Commission on 10 July 2023, facilitating EU-to-US transatlantic data flows under Article 45 of the EU General Data Protection Regulation (GDPR).

However, the DPF has faced immediate legal and political scrutiny, culminating in a high-profile challenge brought by French MP Philippe Latombe before the EU General Court. On 3 September 2025, the General Court dismissed the challenge. While the decision is welcome news for organisations relying on the DPF for data transfers, further challenges should be anticipated.

Background: The Evolving Landscape of Transatlantic Data Transfers

The DPF is the third EU-US adequacy framework, following the invalidation of Safe Harbor (2015) and Privacy Shield (2020) in Schrems I and Schrems II. The European Commission’s adequacy decision in 2023 in relation to the DPF enables transfers of personal data from the EEA to US companies that have committed to comply with the DPF Principles, without having to rely on other GDPR transfer mechanisms such as "Standard Contractual Clauses" (SCCs) or Binding Corporate Rules (BCRs). This adequacy decision relied on US legal reforms, notably Executive Order (EO) 14086 (introducing necessity and proportionality requirements and a two-tier redress mechanism via the Office of the Director of National Intelligence's Civil Liberties Protection Officer (ODNI CLPO) and the Data Protection Review Court (DPRC)) and the DOJ’s regulation DPRC at 28 C.F.R. Part 201 (see our article: The legal uncertainty facing EU-US Data Transfers – Storm over the Atlantic).

The European Data Protection Board (EDPB) welcomed substantial improvements represented by the DPF in comparison with Safe Harbor and Privacy Shield, but flagged issues for ongoing scrutiny, including temporary bulk data collection, data retention/dissemination, and transparency of redress.

Early in 2025, litigation over the removal of two members of the US Privacy and Civil Liberties Oversight Board (PCLOB) highlighted both the Board’s independence and the stability of the DPF (see our article: Transatlantic Data Transfer: EU raises concerns over U.S. oversight changes (again)). The PCLOB oversees agencies’ implementation of EO 14086, is consulted on appointments of Data Protection Review Court judges, and reviews whether redress bodies handle complaints promptly. On 21 May 2025, a federal district court ordered the members reinstated, finding at-will removal incompatible with the Board’s oversight mandate. However, on 1 July 2025, the D.C. Circuit stayed that order pending appeal, leaving it unresolved.

EU General Court Dismisses the Latombe Action

On 6 September 2023, French MP Philippe Latombe filed an action for annulment of the adequacy decision, together with a separate interim-measures request. Mr. Latombe challenged the adequacy decision on two fronts.

  • First, he argued that the DPRC, created by Attorney General regulation and situated within the executive, lacks the independence and impartiality of a tribunal “established by law”, and therefore does not provide an effective remedy (Article 47 of Charter of Fundamental Rights of the European Union). 
  • Secondly, he contended that US signals-intelligence practices still allow bulk collection without prior authorization by an independent authority, leading to disproportionate and indiscriminate access to EU data in breach of Articles 7 and 8 of the Charter.

The President of the EU General Court dismissed the request for interim relief on 12 October 2023 for lack of urgency; but the main annulment action continued.

On 3 September 2025, the EU General Court issued its long-awaited ruling in the Latombe case concerning the validity of the DPF and its stance regarding the independence of the DPRC, as well as the absence of prior authorisation for bulk data collection by the US intelligence agencies.

Departing from usual practice, the Court bypassed the question of admissibility (for additional information on the admissibility, see our article: The legal uncertainty facing EU-US Data Transfers – Storm over the Atlantic) and proceeded directly to examine the merits of the case.

The EU General Court found the DPRC to be independent, mainly taking into consideration the safeguards on the appointment and the removal procedures of its members covered by the US Attorney General, despite the prior consultation of the PCLOB on the appointment of DPRC judges. The Court also noted that the US Attorney General and intelligence agencies could not obstruct or unduly influence their work, along with the fact that the European Commission may decide to suspend, amend or revoke the DPF if it considers the framework no longer provides adequate protection to European personal data.

Regarding bulk data collection by intelligence agencies, the EU General Court found that the absence of prior authorization does not, per se, breach the Schrems II requirements, provided there is ex post judicial review – now ensured through the DPRC.

Latombe's arguments that US law does not contain sufficient protections in relation to automated decision-making and security were also dismissed, on the basis that adequacy decisions do not require identical protection but rather 'substantially equivalent' protection.

Consequently, the EU General Court dismissed entirely the action to annul the DPF. The judgment leaves the European Commission’s adequacy decision intact, meaning that, as of September 2025, the DPF continues to provide a valid legal basis for transatlantic data transfers. By upholding the framework against its first judicial challenge, the EU General Court delivers a period of legal certainty for organisations relying on DPF certification, pending any appeal to the Court of Justice.

What's next in the EU?

An appeal on points of law may be brought before the Court of Justice within two months and ten days of notification. Privacy groups, including NOYB, have signalled potential further challenges. Separately, the European Commission is required to continuously monitor the DPF and may suspend, amend, or repeal the adequacy decision if US safeguards weaken. In parallel, recent national enforcement trends (e.g., Google Analytics cases) show that some DPAs may still pressure organisations towards “sovereign” setups even where adequacy exists.

Practical Takeaway

For now, the DPF remains a valid and streamlined pathway for EU to US personal data transfers. Build around it, keep SCC/BCR playbooks ready, refresh Transfer Impact Assessments (referencing EO 14086 and the DPRC where relevant), and monitor both the appeal and US oversight landscape. This layered approach is the most legally resilient way to maintain EU-US data flows after Latombe.

Toolkits & Client Log-in