The ruling confirms that, at the time of adoption, the United States ensured an “adequate level of protection” for personal data transferred from the EU, allowing transatlantic data flows to continue on that basis.
In its judgment in case T-553/23, the Luxembourg court rejected arguments that US surveillance law and the redress system fell short of EU standards. The court noted that signals intelligence activities are subject to ex post oversight by the US Data Protection Review Court (DPRC), a mechanism established to handle complaints from EU data subjects.
The decision provides legal certainty for thousands of organisations that rely on transatlantic transfers for operations such as payroll processing, customer support and cloud services, spanning sectors from banking and technology to pharmaceuticals and automotive manufacturing.
Latombe can appeal on points of law to the Court of Justice of the European Union (CJEU). The case is the first major test of the DPF before the EU courts since the Commission adopted its adequacy decision in July 2023.
The DPF was designed to address deficiencies identified by the CJEU when it invalidated Safe Harbour in 2015 and Privacy Shield in 2020, following actions brought by Austrian privacy campaigner Max Schrems. Those earlier rulings centred on concerns over US intelligence agencies’ access to Europeans’ data and the absence of effective redress.
Key to the Commission’s assessment in 2023 were measures introduced by Executive Order 14086, which added necessity and proportionality limits to US signals-intelligence activities and created the DPRC as a two-tier redress body. The US Department of Justice and the Office of the Director of National Intelligence subsequently set out implementation rules for the new system.
Wednesday’s judgment indicates that these safeguards met the threshold for an adequacy finding. The General Court concluded that multiple guardrails—both in the executive order and in the attorney general’s regulations—support the independence and effectiveness of the DPRC, and therefore the level of protection for EU data subjects.
Industry impact is immediate. Companies certified under the DPF can continue to rely on the adequacy decision as a lawful transfer mechanism, while standard contractual clauses remain available for organisations that do not participate in the framework. For many firms, the court’s endorsement reduces the need for additional risk assessments for routine transfers to US service providers.
Reactions were mixed. Schrems and his organisation noyb said they were “surprised” by the outcome and questioned whether the General Court had departed from CJEU case law, signalling that further litigation remains possible. Latombe also retains the option to appeal to the EU’s top court.
The ruling arrives amid strains in EU–US policy relations, including heightened scrutiny of large technology platforms in Europe and, according to Reuters, threats of retaliation by US President Donald Trump. While those tensions lie outside the legal merits of the case, they form part of the backdrop to a decision that stabilises the regulatory environment for data flows between the two economies.
Although the General Court’s decision is significant, it may not be the final word. An appeal to the CJEU could revisit questions around the sufficiency of US safeguards and the extent to which the DPRC offers redress equivalent in substance to EU requirements. Until and unless the CJEU rules otherwise, however, the Commission’s adequacy decision remains in force, and transfers under the DPF can continue.
For organisations moving personal data across the Atlantic, today’s outcome means continuity. Firms should ensure that their DPF certification status is current, vendor lists are mapped to appropriate transfer tools, and privacy notices clearly explain the legal basis for US transfers. Continued monitoring will be necessary in the event of an appeal or any changes in US law or practice relevant to the framework.
Supervisory authorities are expected to enforce transfers outside the DPF’s scope, including those based on standard contractual clauses and binding corporate rules, and to also apply EDPB guidance on government access and transfer risk assessments.
Belgian Appeals Court Confirms Illegality of Tracking-Based Advertising Framework in Europe
Post Views: 879