European Court of Justice to Review Challenge to EU-U.S. Data Privacy Framework

European Court of Justice to Review Challenge to EU-U.S. Data Privacy Framework

Blog WilmerHale Privacy and Cybersecurity Law

Cross-border data flows between the European Union (EU) and the United States have long been a point of legal and political contention, and the legal frameworks governing those flows have been repeatedly tested in the EU’s highest courts. The European Court of Justice, in particular, has already invalidated two prior frameworks for transatlantic data transfers—the Safe Harbor in 2015 (in the court’s Schrems I decision) and the Privacy Shield in 2020 (in the court’s Schrems II decision)—on the grounds that U.S. surveillance practices failed to meet EU standards for privacy and redress.

While the third framework—the EU-U.S. Data Privacy Framework (DPF)—survived its first courtroom test in September 2025, the European Court of Justice may soon weigh in again following French politician Philippe Latombe’s appeal on October 31, 2025. The European Court of Justice’s resolution of the case could have major implications for companies that rely on the European Commission’s adequacy decision regarding the DPF to enable transfers of personal data from the European Union to the United States.

On September 3, 2025, the General Court of the European Union (the EU’s court of first instance) dismissed a challenge brought by Latombe, a Member of the French Parliament, and confirmed the validity of the European Commission’s 2023 “adequacy” decision upholding the DPF. The EU General Data Protection Regulation (GDPR) empowers the European Commission to issue such “adequacy” decisions to permit data to be transferred from the EU to a non-European country without additional safeguards such as standard contractual terms or binding corporate rules.

Latombe’s challenge made three core claims:

  1. Lack of Independent Redress: Latombe argued that the U.S. Data Protection Review Court (DPRC), an administrative body established by President Biden’s Executive Order 14086 to provide certain forms of redress for EU individuals, lacks independence and impartiality.
  2. Overbroad Surveillance: Latombe also claimed that the DPF does not adequately prevent the bulk collection of data and that such collection violates Europeans’ fundamental rights.
  3. Insufficient Protections: Latombe further argued that U.S. law does not provide protections equivalent to those of EU law for data security and automated decision-making.

The General Court rejected each of Latombe’s arguments. It found the DPRC was a sufficiently independent and impartial tribunal, that U.S. law sufficiently limited bulk data collection, and that protections around data security and automated decision-making were substantially equivalent to those in the EU.

Importantly, the General Court emphasized that its review was limited to the legal and factual context at the time of the European Commission’s adequacy decision in July 2023 and pointed to key structural elements that contributed to the finding of adequacy. For example, the General Court referenced the independence of oversight bodies like the U.S. Privacy and Civil Liberties Oversight Board, which was created by statute as a part of the executive branch and, of greatest relevance here, consults with the Attorney General to appoint judges to the DPRC and reviews the redress mechanism provided by the DPRC.

However, the European Court of Justice has historically been more skeptical than the General Court in assessing U.S. surveillance practices and the adequacy of redress mechanisms. Its prior decisions in Schrems I and II invalidated frameworks that had also been endorsed by the European Commission, and Latombe’s appeal puts another framework before the European Court of Justice for consideration.

For companies relying on the DPF, the European Court of Justice’s impending review introduces renewed uncertainty. While the General Court’s decision provides short-term reassurance, the possibility of reversal on appeal means organizations should remain vigilant, including by:

  1. Monitoring developments in the appeal before the European Court of Justice and relevant regulatory changes;
  2. Continuing to carefully map U.S.-bound data flows;
  3. Maintaining alternative transfer mechanisms, such as standard contractual clauses; and
  4. Preparing for potential shifts in U.S. surveillance policy, including but not limited to changes regarding Executive Order 14086 and FISA Section 702, that could impact European adequacy assessments.

The European Court of Justice’s eventual ruling will have important implications for the future of transatlantic data transfers and digital trade at a time of heightened uncertainty.  American trade associations and sectoral industry bodies may apply to intervene in cases before the European Court of Justice, including on appeal, in support of the European Commission to defend the Data Privacy Framework.  WilmerHale’s team of EU-based appellate lawyers stands ready to provide assistance in such matters.

Authors

Related Solutions

Advising clients on changing priorities, new regulations, emerging threats and untapped opportunities.
Critical industry insight and formidable strength across key practices.
We help companies protect data, comply with evolving regulations, and respond to investigations and litigation.

More from this series

Explore the Full Series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link. (The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.

I Accept Cancel