Luxembourg — The EU’s General Court dismissed a challenge to the EU–US Data Privacy Framework, confirming that, at adoption, the United States ensured an adequate level of protection for EU personal data transferred to certified U.S. organizations.
Key points from the judgment
- Case T‑553/23, Latombe v Commission: the court rejected arguments that the U.S. Data Protection Review Court lacks independence.
- It noted ex‑post judicial oversight of U.S. intelligence activities and ongoing Commission monitoring obligations.
- An appeal to the Court of Justice is still possible within ~2 months and 10 days.
Why it matters
After years of legal uncertainty post‑Schrems I/II, the ruling offers companies a clearer compliance path — at least for now. Privacy groups forecast further litigation.
What companies should do
- Confirm vendor certification against the DPF; refresh transfer impact assessments.
- Keep fallback SCCs updated in case legal winds shift.
- Harden deletion, purpose‑limitation and redress notices for EU users.
Source reporting: Court press materials and wire reporting.