EU General Court Upholds Trans‑Atlantic Data Privacy Framework

Europe’s General Court has dismissed a challenge to the EU–US Trans‑Atlantic Data Privacy Framework. The court ruled that, at the time the decision was adopted, the United States provided an adequate level of protection for personal data transferred from the EU to US organisations.

Key points

• The claimant, French MP Philippe Latombe, argued the framework lacked sufficient guarantees against bulk collection and that the Data Protection Review Court (DPRC) was not an independent forum.
• The General Court found the DPRC’s structure and judge-appointment safeguards ensure independence; judges may be removed only by the Attorney General and for cause.
• The court said the Commission must monitor implementation and may suspend, amend or repeal the adequacy decision if the US legal framework changes.
• Latombe’s claims about bulk collection were dismissed. He may still appeal to the Court of Justice of the EU (CJEU).

Context

The framework was negotiated in 2023 to allow US companies to continue storing Europeans’ personal data on US servers while offering new safeguards, including the DPRC to handle complaints. Previous EU‑US data transfer mechanisms (Safe Harbor, Privacy Shield) were invalidated by the CJEU in earlier rulings following privacy concerns raised by activists such as Max Schrems.

Implications

The ruling stabilises transatlantic data transfers for now but leaves oversight responsibilities with the European Commission and opens the door to further legal challenges. Political changes in the US and future legal developments could still affect the framework’s status.

Sources: EU General Court (press release & judgment), Engadget.

Question for readers: Do you think the safeguards are sufficient, or should the EU demand stronger guarantees? Share your view in the comments.