The Latombe Decision

  • News

The Latombe Decision: The EU-US Data Privacy Framework is upheld.

In a ruling issued on September 3, 2025, the EU’s General Court rejected an annulment action brought against the EU–US Data Privacy Framework, affirming the validity of the European Commission’s 2023 adequacy decision for the US.

Background

The EU’s data protection framework sets out strict conditions for transferring personal data outside the European Economic Area.

To allow such transfers, the General Data Protection Regulation provides several legal mechanisms, including Standard Contractual Clauses (“SCCs”) and adequacy decisions.

An adequacy decision allows personal data to flow from the EU to a third country, specific sector, or international organisation without requiring additional safeguards—provided that the European Commission has determined the destination offers an “essentially equivalent” level of data protection.

Significance of the decision

The recent ruling marks a notable moment in internation data protection law. Unlike its Predecessors, – the EU-US Safe Harbour and EU-US Privacy Shield which were invalidated in 2015 and 2020 respectively – the EU-US Data Privacy Framework has, for now, survived its first major legal challenge.

Implications for businesses

  • It allows businesses operating across the EU and U.S. to continue data transfers under the EU-US Data Privacy Framework with more confidence, offering greater legal stability.

However, it is important for businesses to remain alert:

  • The legal challenge is not necessarily over. An appeal is likely, and future scrutiny of the EU-US Data Privacy Framework could impact its long-term viability.
  • Should the EU-US Data Privacy Framework face future challenge, if invalidated, relying on it solely might pose compliance issues for businesses. Therefore, businesses should monitor the cases’ development and maintain contingency plans to ensure continued compliance.
  • The judgment does not eliminate the obligation to conduct Transfer Impact Assessments when using other transfer tools, such as Standard Contractual Clauses SCCs. This is particularly relevant for U.S.-based data recipients who have not self-certified under the EU-US Data Privacy Framework.