CFI (Case T‑553/23): Adequacy of the EU‑U.S. Data Privacy Framework not annulled

EN DE FR

from

David Vasella

04.09.2025

Industries

all

Authority

ECJ

Laws

EO 14110, FISA 702

Topics

Foreign announcement, Schrems

Take-Aways (AI)

On September 3, 2025, the General Court dismissed Philippe Latombe’s complaint against the EU-US Data Privacy Framework (DPF).
The court considered the Data Protection Review Court (DPRC) to be sufficiently independent and binding, despite criticism of its executive nature.
The EGC found that mass surveillance was not generally permissible either inside or outside the USA; EO 14086 and other restrictions were sufficient guarantees.
Automated individual decisions and data security requirements were deemed by the EGC to be sufficiently covered by sector-specific protection mechanisms and technical measures.

The EU-US Data Privacy Framework (DPF) has allowed companies and public authorities to Entry into force on July 10, 2023to transfer personal data to recipients in the USA certified under the DPF. In Switzerland, the Federal Council has adopted the equivalent, the CH-US Data Privacy Framework, September 15, 2024 enacted.

However, the DPF has been criticized as weak since the beginning, and the French MEP Philippe Latombe brought an action against the DPF before the ECJ. The ECJ has now confirmed the appropriateness of the DPF and the Latombe’s lawsuit dismissed (Judgment Case T‑553/23; currently only available in French and Portuguese).

The decision is not final and Latombe has two months to appeal it to the ECJ.

Predecessors: Schrems I & II

As is well known, the DPF is a successor regulation in an effort to enable the economically necessary transfer of personal data from Middle Earth (EU) to Mordor (USA):

Schrems I – Safe HarborThe first attempt at such a regulation was the Safe Harbor Agreement. The ECJ had 2015 in the Schrems I ruling 2015 overturnedwith the following key statements:

73 […] However, as the Advocate General […] has pointed out, the expression ‘adequate level of protection’ must be understood as requiring that the third country actually ensures, by virtue of its national legislation or international obligations, a level of protection of freedoms and fundamental rights equivalent to that guaranteed in the Union […]. equivalent in substance is. […]
81 Even if recourse by a third country to a system of self-certification does not in itself infringe the requirement […] that an adequate level of protection must be ensured in the third country concerned ‘by virtue of its national law or international obligations’, the reliability of such a system with regard to this requirement is essentially based on the creation of effective monitoring and control mechanisms, which make it possible to identify and sanction in practice any violations of rules ensuring the protection of fundamental rights, in particular the right to respect for privacy and the right to the protection of personal data.

87 […] the exception in paragraph 4 of Annex I to Decision 2000/520 therefore makes it possible, based on interfere with the fundamental rights of individuals for reasons of national security, public interest or United States lawwhose personal data is or could be transferred from the Union to the United States. In order to establish the existence of an interference with the fundamental right to privacy, it is not relevant whether the privacy information concerned is of a sensitive nature or whether the data subjects may have suffered prejudice as a result of the interference ([…]).

89 In addition, Decision 2000/520. No determination of the existence of effective judicial protection against such interference. As the Advocate General stated in points 204 to 206 of his Opinion, the private arbitration mechanisms and the proceedings before the Federal Trade Commission, whose powers, described in particular in FAQ 11 in Annex II to the Decision, are limited to commercial disputes, relate to compliance by US companies with the safe harbor principles and cannot be applied in the context of disputes concerning the lawfulness of interference with fundamental rights resulting from measures of State origin.

92 Moreover, the protection of the fundamental right to respect for private life at Union level requires, above all, that the Limit exceptions to the protection of personal data and its restrictions to what is absolutely necessary […].

98 Therefore, without it being necessary to examine the content of the ’safe harbor’ principles, it must be concluded that Article 1 of Decision 2000/520 infringes the requirements laid down in Article 25(6) of Directive 95/46 in the light of the Charter […].
Schrems II – Privacy ShieldThe second attempt was called Privacy Shield, an analogous regulation for transmission to certified US importers. In July 2016 entered into forceit was confirmed by the ECJ in July 2020 overturned in the Schrems II judgment:

105 […] Art. 46 (1) and Art. 46 (2) lit. c of the GDPR must be interpreted as meaning that the appropriate safeguards, enforceable rights and effective legal remedies required under those provisions must ensure that the rights of individuals whose personal data are transferred to a third country on the basis of standard data protection clauses are protected, enjoy a level of protection equivalent in substance to that guaranteed in the Union by the GDPR in the light of the Charter. […].

176 Finally, in order to comply with the requirement of proportionality, according to which the exceptions and limitations relating to the protection of personal data must be limited to the extent that they are necessary to ensure the protection of personal data. Limit to what is absolutely necessary must, clear and precise rules on the scope and application of the measure in question and establish minimum requirements so that the persons whose data have been transferred have sufficient guarantees to ensure effective protection of their personal data against the risk of misuse. In particular, it must specify the circumstances and conditions under which a measure providing for the processing of such data may be taken in order to ensure that the interference is limited to what is absolutely necessary. The need to have such safeguards in place is all the more important where the personal data are processed automatically […].

177 In this regard, Article 45(2)(a) of the GDPR provides that, when assessing the adequacy of the level of protection offered by a third country, the Commission shall, inter alia, “effective and enforceable rights of the data subject” whose personal data is transmitted are taken into account.

180 […] lets Section 702 of the FISA in no way indicate that the authorization contained therein to carry out monitoring programs for the purpose of foreign reconnaissance Restrictions exist. Nor is it apparent that guarantees exist for non-US persons potentially covered by these programs. In these circumstances, this provision […] not suitable to guarantee a level of protectionwhich is equivalent in substance to the level guaranteed by the Charter […].

184 Consequently, it can be assumed that neither Section 702 of FISA nor E.O. 12333 in conjunction with PPD-28 meet the minimum requirements under Union law in accordance with the principle of proportionality, so that it cannot be assumed that the monitoring programs based on these provisions are limited to what is strictly necessary.

194 In accordance with the requirements arising from Article 47 of the Charter and the case-law cited in paragraph 187 of the present judgment, the examination of whether the ombudsman mechanism referred to in the DSS decision is in fact capable of compensating for the restrictions on the right to judicial protection identified by the Commission must be based on the principle that individuals must have the opportunity to seek redress before an independent and impartial tribunalto obtain access to the personal data concerning them or to obtain the rectification or erasure of such data.

197 According to this, the DSS decision Ombudsman mechanism no legal recourse to an institution which would provide persons whose data are transferred to the United States with guarantees equivalent in substance to those required under Article 47 of the Charter.

199 It follows that Article 1 of the DSS Decision is incompatible with Article 45(1) of the GDPR, interpreted in the light of Articles 7, 8 and 47 of the Charter, and therefore Invalid is.

Criticism of the DPF

Against this background, it is hardly surprising that the DPF quickly came under fire:

The appropriateness decision was based primarily on the Executive Order 14086 “Enhancing Safeguards for United States Signals Intelligence Activities”, which subjected reconnaissance measures to certain restrictions and introduced a complaints procedure for those affected. These commitments allowed the EU Commission to assess the appropriateness of this legal framework despite Schrems I and II determine. However, the fact that an executive order is not a law and can therefore be easily repealed, that the activities of the US intelligence services are not sufficiently restricted on the basis of FISA 702, for example, and that the Data Protection Review Court (DPRC) created by the executive order is not independent (but part of the executive branch) were particularly criticized.
Another basis for the appropriateness decision was the PCLOB. The Privacy and Civil Liberties Oversight Board (see here) is entrusted with the protection of privacy in particular in the area of counter-terrorism and is to oversee the DPRC. The Dismissal of the democratic members of the PCLOB by President Trump raised the question (also in the European Parliament) whether the DPF was thus deprived of a basis.
What also did not help was the now assessed Complaint by French Member of Parliament Philippe Latombe shortly after the DPF came into force.

Most companies have therefore not relied exclusively on the DPF, but have additionally concluded the standard contractual clauses for transfers to certified US recipients, with direct effect or conditional on a repeal of the DPF.

Dismissal of the Latombe action

On September 3, 2025, the General Court of the European Union (General Court) dismissed Latombe’s complaint. The General Court’s reasoning is essentially as follows:

Independence of the DPRC

Latombe had argued that the DPRC was not an independent and impartial court within the meaning of the Charter. In contrast, the CFI came to the conclusion that the DPRC was sufficiently independent, especially as its members are appointed according to criteria comparable to those for federal judges, the members are not allowed to hold an executive function and the decisions of the DPRC are binding. The supervision by the PCLOB reinforces this. The fact that the DPRC was not created by law does not detract from this. However, the CFI did not address the removal of some judges by Trump.

Mass data collection by US intelligence agencies

According to Latombe, the adequacy decision also violated the Charter because US intelligence services could obtain personal data in bulk (“bulk collection”) without judicial authorization. The EGC is based on the distinction between data procurement in and outside the USA:

In the USA, data can only be obtained for national security purposes (including for data transferred from the EU) in a targeted manner, i.e. in relation to a specific person, a specific account or another selector.
Outside the USA, data is generally also collected in a targeted manner, but may also be collected in bulk. This bulk collection is subject to EO 14086 and EO 12333, which impose guarantees and restrictions. Unregulated bulk collection is not permitted either inside or outside the USA.

In the present case, the only question is whether mass collection is possible for data that is transmitted on the basis of the DPF. FISA 702 is not relevant here because FISA 702 does not concern mass collection.

With reference to EO 14086, Latombe had criticized, among other things, that the procurement did not require prior approval by a judicial or administrative authority. This is true. However, according to the ECJ, Schrems II does not require this either; subsequent judicial review is generally sufficient (as in this case by the DPRC). Even taking into account the case law of the ECJ and the ECtHR, prior authorization does not appear to be the only guarantee. As mentioned, US law contains sufficient restrictions on mass procurement and provides for the right to an effective legal remedy – that is sufficient.

Automated individual decisions and data security

Finally, Latombe criticized the lack of an explicit guarantee that individuals would not be subject to automated decisions. However, Art. 22 GDPR only does not apply where a certified US company collects data directly in the EU without an offer being made in accordance with Art. 3 para. 2 GDPR. There are sufficient sectoral protection mechanisms here (e.g. in credit, employment, insurance or healthcare law). – The ECJ also took a different view of the lack of requirements for technical and organizational security measures.

CFI (Case T‑553/23): Ade­qua­cy of the EU‑U.S. Data Pri­va­cy Frame­work not annulled

Pre­de­ces­sors: Schrems I & II

Cri­ti­cism of the DPF

Dis­mis­sal of the Latom­be action

Inde­pen­dence of the DPRC

Mass data coll­ec­tion by US intel­li­gence agencies

Auto­ma­ted indi­vi­du­al decis­i­ons and data security