On September 3, 2025, the General Court of the European Union delivered its judgment in Case T-553/23, Philippe Latombe v. European Commission, dismissing the action brought by Mr. Latombe seeking the annulment of the European Commission’s Implementing Decision (EU) 2023/1795 on the adequacy of the EU–U.S. Data Privacy Framework (DPF). This decision confirms that, at the time of its adoption, the United States ensured an adequate level of protection for personal data transferred from the European Union to organizations in that country.
Mr. Latombe, a French Member of Parliament, challenged the adequacy decision on several grounds. He argued that the DPF did not provide a level of protection for personal data equivalent to that guaranteed within the European Union under the General Data Protection Regulation (GDPR) and the Charter of Fundamental Rights of the European Union. Specifically, he contended that the Data Protection Review Court (DPRC), established in the U.S. to review complaints from EU data subjects, lacked independence as it forms part of the U.S. executive branch. Additionally, he claimed that U.S. intelligence agencies engaged in unlawful bulk data collection without prior judicial or independent oversight, infringing on fundamental rights to privacy and data protection.
The General Court addressed these concerns by emphasizing that the assessment of adequacy is based on the situation at the time the Commission made its decision. The Court found that, as of July 10, 2023, the date of the adequacy decision, the United States had implemented sufficient safeguards to ensure an adequate level of protection for personal data. The Court noted that the DPRC’s members are appointed according to criteria comparable to those for federal judges, are not allowed to hold executive functions, and that the decisions of the DPRC are binding. Supervision by the Privacy and Civil Liberties Oversight Board (PCLOB) further reinforces this independence. The Court also highlighted that the interception of electronic communications by U.S. intelligence agencies is subject to ex post judicial review, including review through the DPRC, which aligns with the requirements set forth in the Schrems II ruling.
This judgment marks a significant departure from previous decisions where the Court of Justice of the European Union invalidated prior data transfer frameworks, such as the Safe Harbour and Privacy Shield agreements, due to inadequate protection measures. The General Court’s decision in the Latombe case suggests a more deferential approach to the Commission’s adequacy decisions, potentially indicating a shift in the Court’s stance on data protection adequacy assessments.
Legal professionals should note that while the DPF currently stands, the Court emphasized the Commission’s ongoing monitoring obligation. Should U.S. law or practice change such that the level of protection is no longer adequate, the Commission is required to suspend, modify, or revoke the adequacy decision. This mechanism underscores that adequacy is not a one-time determination but a judgment subject to change.
In conclusion, the General Court’s dismissal of Mr. Latombe’s action upholds the validity of the EU–U.S. Data Privacy Framework, providing a stable legal basis for transatlantic data transfers. However, the decision also highlights the dynamic nature of data protection adequacy assessments and the necessity for continuous monitoring to ensure compliance with evolving standards.