Article in Greek available on Lawspot.gr
1. Introduction
In a landmark ruling delivered on September 3, 2025, the General Court of the European Union decisively upheld the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF), marking a crucial victory for transatlantic data flows in the post-Schrems II era. The judgment in Latombe v. Commission (T-553/23) represents the first major judicial test of the new framework designed to replace the invalidated Privacy Shield, addressing head-on the fundamental concerns about US surveillance practices that have plagued EU-US data transfers for over a decade. The ruling provides long-awaited legal certainty for thousands of companies relying on transatlantic data transfers
The case, brought by French citizen Philippe Latombe, challenged the Commission’s July 2023 adequacy decision on multiple fronts, arguing that the new framework failed to provide substantially equivalent protection to that guaranteed under EU law. The Court’s comprehensive rejection of these challenges provides critical validation for the DPF and offers important guidance on the interpretation of adequacy requirements following the Court of Justice’s stringent rulings in Schrems I and II.
2. The Legal Framework and Historical Context
The EU-US DPF emerged from the ashes of the Privacy Shield framework, which was invalidated by the Court of Justice in Schrems II due to insufficient safeguards against US intelligence surveillance. The Court noted that the decision under challenge was adopted on July 10, 2023, following the US adoption of Executive Order 14086 on October 7, 2022, which strengthened privacy protections governing signals intelligence activities by US intelligence agencies.
This historical context is crucial for understanding the heightened scrutiny applied to US surveillance practices. As the General Court observed, the Court of Justice in Schrems I and II had estimated that, contrary to the assessment of the European Commission emerging from the adequacy decisions mentioned above, the safe harbor system and the Privacy Shield system governing the transfer of personal data did not guarantee a level of protection of fundamental freedoms and rights substantially equivalent to that guaranteed by Union law.
3. Independence and Impartiality of the Data Protection Review Court
3.1. The Core Challenge to DPRC Independence
The applicant’s primary argument centered on the independence and impartialité of the newly established Data Protection Review Court (DPRC), arguing that it constituted a para-judicial body dependent on the executive rather than an independent and impartial tribunal. The Court emphasized that the requirement of independence of courts, which is inherent to the mission of judging, is part of the essential content of the right to effective judicial protection and the fundamental right to a fair trial.
3.2. Structural Safeguards and Appointment Process
The General Court conducted a thorough analysis of the DPRC’s institutional design, examining three key areas of concern: the relationship with the Civil Liberties Protection Officer (CLPO), the appointment process, and potential executive supervision.
Regarding the appointment process, the Court found that judges must be legal practitioners, namely active members in good standing of the bar who are duly authorized to practice law, and they must have appropriate experience in privacy law and national security matters.” Crucially, the Court noted that only persons who meet the aforementioned qualifications and who are not employees of the executive power at the time of their appointment or have not been so in the previous two years may be appointed to the DPRC.
3.3. Functional Independence and Decision-Making Powers
The Court was particularly persuaded by the DPRC’s substantive powers and independence in decision-making. The judgment emphasized that the DPRC has the power to reform, is not bound by the CLPO’s decision and, in case of disagreement with the latter, may adopt its own decision regarding the personal data complaint. Moreover, whatever decision is taken by the DPRC, this decision is binding and final.
This analysis demonstrates the Court’s pragmatic approach to institutional independence, focusing on functional autonomy rather than formal structural separation from the executive branch.
4. US Intelligence Surveillance and Bulk Data Collection
4.1. Distinguishing Bulk Collection from Mass Collection
The Court made an important distinction between different types of data collection practices, clarifying that ‘mass collection’ of personal data referred to by the Commission as collection carried out in a generalized and indiscriminate manner without restrictions or safeguards is not authorized in the United States and cannot be carried out either on its territory or outside it.
The judgment focused specifically on “bulk collection,” defined as authorized collection of large quantities of signals intelligence which, for technical or operational reasons, is carried out without using discriminants, for example specific identifiers or selection criteria.
4.2. Legal Framework Governing Bulk Collection
The Court conducted a detailed examination of the legal constraints imposed by Executive Order 14086 on bulk collection activities. The Court noted that signals intelligence activities must be conducted in a manner proportionate to the validated intelligence priority for which they have been authorized, in order to find a fair balance between the importance of the intelligence priority pursued and the impact on privacy and civil liberties of the person concerned, regardless of their nationality and place of residence.
4.3. Post-Schrems II Compliance
Addressing the applicant’s argument that the new framework suffered from the same deficiencies as the invalidated Privacy Shield, the Court distinguished the current situation from that condemned in Schrems II. The Court explained that unlike what the applicant argues, it cannot be considered that the bulk collection of personal data carried out by intelligence agencies on the basis of the contested decision does not satisfy the requirements arising from the Schrems II judgment in this regard.
The Court emphasized the significance of the DPRC’s judicial review function, noting that E.O. 14086 and the AG regulation subject the signals intelligence activities conducted by US intelligence agencies, including when they carry out bulk collection of personal data, to the post hoc judicial surveillance of the DPRC, whose decisions are final and binding and are imposed both vis-à-vis the US government and said agencies.
5. Automated Decision-Making Protections
5.1. Residual Application Scope
The Court addressed concerns about protections against automated decision-making under Article 22 GDPR, examining three scenarios for cross-border data processing. The judgment concluded that the hypotheses in which entirely automated decisions do not fall within the scope of Article 22 GDPR are residual and are limited to the case where DPF organizations directly collect, in the Union, personal data, without however offering Union citizens goods or services and without following their behavior.
5.2. Sectoral Protections in US Law
The Court found that US sectoral legislation provided adequate safeguards in key areas where automated decision-making was most likely to occur. The judgment noted that in consumer credit matters, the Fair Credit Reporting Act and the Equal Credit Opportunity Act contain safeguards that offer consumers a form of right to explanation and a right to challenge entirely automated decisions.
6. Data Security Requirements
Comprehensive Security Framework
The final substantive challenge concerned data security obligations under the DPF. The Court rejected arguments that the framework created gaps in security requirements, finding that the terms ‘create,’ ‘manage,’ ‘use,’ and ‘disseminate’ appearing in point II.4(a) of Annex 1 of the contested decision as well as the terms ‘store,’ ‘use,’ and ‘disclose’ appearing in point III.6(f) of the same annex constitute specific manifestations of the operation consisting in the ‘processing’ of personal data.
The Court emphasized that the term “use” encompasses consultation activities, as by definition, to be able to resort to data, it is necessary beforehand to have access to it and therefore to consult it.
7. Implications and Practical Takeaways
7.1. Validation of Pragmatic Approach to Adequacy
This judgment represents a significant validation of the Commission’s more pragmatic approach to adequacy assessments post-Schrems II. The Court’s acceptance that the Commission is not required to ensure that the relevant provisions of the third country are identical to those in force in the Union, but that they are substantially equivalent provides important breathing room for future adequacy negotiations.
7.2. Institutional Design Principles
The DPRC analysis offers valuable guidance for designing independent oversight mechanisms that can satisfy EU standards while respecting third country constitutional frameworks. The Court’s focus on functional independence, binding decision-making power, and procedural safeguards provides a template for future adequacy frameworks.
7.3. Intelligence Surveillance Constraints
The judgment clarifies that post-Schrems II adequacy decisions must include robust constraints on intelligence surveillance, but that ex ante judicial authorization is not the only acceptable model. The combination of “clear legal rules governing the implementation of bulk collection,” “effective ex post judicial review,” and “comprehensive oversight mechanisms” can provide substantially equivalent protection.
7.4. Sectoral vs. Comprehensive Protection
The Court’s acceptance of sectoral protections for automated decision-making suggests a more flexible approach to equivalence assessments, recognizing that different legal systems may achieve equivalent outcomes through different means.
8. Conclusion
The Latombe judgment marks a watershed moment for EU-US data transfers, providing the first comprehensive judicial validation of the post-Schrems II adequacy framework. By upholding the DPF while maintaining rigorous scrutiny of US surveillance practices, the Court has struck a careful balance between protecting fundamental rights and enabling essential transatlantic data flows.
For practitioners, this decision provides crucial legal certainty for organizations relying on the DPF while reinforcing the importance of robust oversight mechanisms in adequacy frameworks. The judgment’s detailed analysis of institutional independence, surveillance constraints, and equivalence standards will undoubtedly influence future adequacy negotiations and the broader evolution of international data transfer law.
The Court’s pragmatic yet principled approach suggests that the post-Schrems II era may be entering a more stable phase, where carefully designed frameworks with appropriate safeguards can satisfy EU adequacy standards while accommodating the legitimate security interests of third countries. However, the Commission’s ongoing monitoring obligations ensure that this framework will continue to face scrutiny as US surveillance practices and technologies evolve.
Stergios Konstantinou,
Advanced LLM (IP & ICT Law)
CIPP/E, CIPM, FIP