The ruling
On September 3, the General Court dismissed an action (T‑553/23, Latombe v Commission) to annul the EU–US Data Privacy Framework (DPF), confirming—at least for now—that the U.S. ensures an “adequate” level of protection for EU personal data transferred to certified U.S. organizations.
Why it matters
- Legal certainty: Cloud, HR, CRM and analytics programs that rely on DPF certification get a clearer runway.
- But not the last word: The applicant can appeal to the CJEU. Activists warn the framework could face further scrutiny.
What to do now
- Confirm counterparties’ DPF certifications and update records of processing.
- Re‑assess transfer impact assessments and supplementary measures in light of the ruling.