Europe’s General Court, the bloc’s second-highest tribunal, cleared a pivotal hurdle on Wednesday by upholding the EU–U.S. Data Privacy Framework, approved in 2023. The court dismissed a challenge by French lawmaker Philippe Latombe, affirming that at the time of its adoption, the United States provided an “adequate level of protection” for personal data transferred from the EU.
Latombe had argued that U.S. intelligence surveillance remains unchecked and that the U.S. Data Protection Review Court (DPRC) lacks true independence and fails to meet robust EU privacy standards. The General Court, however, ruled that U.S. intelligence operations are subject to ex post judicial oversight via the DPRC, and therefore satisfy the EU’s adequacy requirement.
The ruling delivers relief to thousands of European and American businesses — including major banks, tech giants, automakers, and pharmaceutical firms — which rely on seamless cross-border data flows for functions like cloud services and payroll. The court’s endorsement offers a reprieve from prior legal chaos that disrupted routine operations.
Yet the intrigue isn’t over. Privacy advocate Max Schrems, whose previous complaints helped overturn earlier agreements like Safe Harbor (2015) and Privacy Shield (2020), maintains that the framework remains legally questionable. Schrems argues that the protections are cosmetic and insufficient to warrant lasting confidence. Legal analysts warn a fresh appeal to the Court of Justice of the European Union (CJEU) may follow soon.
This latest adequacy decision marks the third attempt to bridge EU-U.S. data-transfer rules with judicial approval after previous frameworks were struck down. Critics argue the cycle continues without addressing the root concern: U.S. mass surveillance powers like FISA Section 702 remain intact. The DPRC, an administrative body created via Executive Order 14086, has been criticized for lacking genuine independence. EU policymakers and watchdogs say real change requires U.S. legal reform—not just new facade-level structures.
The European Data Protection Board (EDPB) and many lawmakers acknowledge the new framework offers certain enhancements, yet point to continuing gaps that fall short of GDPR’s strict standards. The European Parliament has repeatedly urged renegotiation, raising concerns over protections against indiscriminate intelligence collection.
For now, the decision enables EU–U.S. data transfer operations to proceed with greater confidence. Companies can rely on the adequacy decision rather than cumbersome Standard Contractual Clauses, simplifying compliance and cutting legal costs. This arrangement restores a vital bridge for e-commerce, cloud computing, research collaboration, and digital advertising.
However, the broader implications of this court victory should not be overstated. Should the CJEU eventually reverse the decision, businesses might revert to fallback arrangements — such as SCCs — which are legally valid but more resource-intensive and uncertain. Legal uncertainty looms until substantive reform addresses surveillance authorities and independent oversight.
The EU General Court’s verdict offers a pause of legal clarity—but not resolution—in the ongoing tug of war over data privacy between Brussels and Washington. The decision preserves corporate workflows for now but leaves the door open to future court challenges and geopolitical friction.
To secure lasting stability, spearheaded by the CJEU, real reforms in U.S. surveillance practices and stronger oversight mechanisms will be essential. Until then, the EU remains caught between the imperatives of digital economic integration and the protection of its citizens’ fundamental privacy rights.
Observers say the ultimate test will come if and when the CJEU reviews the framework. If the court strikes it down, policymakers will once again be forced back to the negotiating table, potentially for a fourth time in less than two decades. That scenario could reignite debates over Europe’s digital sovereignty and accelerate moves to localize data storage inside EU borders.
Meanwhile, businesses are advised to maintain contingency plans, keeping alternative transfer mechanisms like Standard Contractual Clauses in place as a safeguard. Legal experts caution that overreliance on the adequacy decision could expose firms to significant risk if another invalidation occurs.