European Court dismisses an action for annulment of the new framework for the transfer of personal data between the EU and the US

European Court dismisses an action for annulment of the new framework for the transfer of personal data between the EU and the US

 

03 September 2025

In so doing, it confirms that, on the date of adoption of the contested decision, the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country.

The Charter of Fundamental Rights of the European Union and the Treaty on the Functioning of the European Union (TFEU) enshrine the right of every person to the protection of his or her personal data. On the basis of those legal instruments, and to avoid compromising the level of protection conferred within the European Union, EU secondary legislation lays down the rules applicable to international transfers of personal data. In accordance with those rules, if the European Commission considers that a third country ensures an adequate level of protection, transfers of personal data to that country may take place without further authorisation, on the basis of the adequacy decision adopted by the Commission. Such a framework, established by the adequacy decision adopted by the Commission on 10 July 2023 (‘the contested decision’), exists between the European Union and the United States of America. In the past, in the judgments in Schrems I and Schrems II, the Court of Justice declared the two previous adequacy decisions 7 concerning the United States to be invalid, on the ground that they did not ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed by EU law.

On 7 October 2022, the United States of America adopted an Executive Order
that strengthened the privacy safeguards governing activities carried out by intelligence agencies established in the United States. That order was supplemented by an Attorney General Regulation that amended the provisions governing the establishment and functioning of the Data Protection Review Court (‘the DPRC’). Following an examination of those regulatory developments in the United States, the Commission adopted the contested decision, which put in place the new
transatlantic framework for personal data flows between the European Union and the United States.

Against that background, Philippe Latombe, a French citizen and user of various IT platforms that collect his personal data and transfer them to the United States, asked the General Court to annul the contested decision. According to Mr Latombe, the DPRC is neither impartial nor independent, but dependent on the executive. Moreover, he submits that the practice of the intelligence agencies of that country of collecting in bulk personal data in transit from the European Union, without the prior authorisation of a court or an independent administrative authority, is not circumscribed in a sufficiently clear and precise manner and is, therefore, illegal.

The General Court dismisses the action for annulment.

Read more here.