The European Court of Justice (CJEU) ruled on September 3, 2025 that the Data Privacy Framework (DPF) remains valid. The complaint of French parliamentarian Philippe Latombe was declared admissible, but rejected in substance. As a result, the DPF holds for the time being.
With DPF, the European Commission grants a so-called "adequate level of protection" to the transfer of personal data to the U.S. (Article 45 AVG). This allows the transfer of personal data of data subjects in the EU to the U.S., where data protection is considered at least equivalent to the level of protection within the EU. Transfer means that data such as customer data, HR files or cloud storage cross the Atlantic to be processed in the U.S. This is precisely where the tension lies: are those data as secure in America as they are here?
Despite the DPF standing, uncertainty remains. Previous frameworks already fell at the Court of Justice and a new appeal is possible. So the question is whether the DPF will weather the storm.
The protection of personal data when transferred to the U.S. remains a hot issue. Since 2015, two agreements have already been declared invalid by the CJEU. With the DPF, the European Commission hoped to finally bring stability. The central question is: what does the Latombe ruling mean for Article 45 AVG and thus for the tenability of agreements based on it?
This article first briefly reviews the two earlier cases (Schrems I and II) and then discusses the Latombe case itself. This is followed by an analysis of the implications for the validity of the DPF and a look at the broader political context in the US. Are you especially curious about what this ruling means specifically for your organization? Then read Chapters 6 and 7, where practical tools and recommendations are provided.
In 2015, the Court of Justice declared the Safe Harbour agreement invalid. The reason was that U.S. law allowed large-scale access to data, while European citizens had little means of defending themselves against it. According to the Court, the Commission had assumed too easily that this system was adequate. (CJEU Oct. 6, 2015, Case C-362/14, Maximillian Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:650.)
Five years later, in 2020, the same fate befell the Privacy Shield. This framework also provided insufficient protection against U.S. surveillance and did not give European citizens an effective remedy. The Court emphasized that these shortcomings were not compatible with the AVG. Thus, another Article 45 decision fell (CJEU 16 July 2020, Case C-311/18, Data Protection Commissioner v. Facebook Ireland & Maximillian Schrems, ECLI:EU:C:2020:559).
Philippe Latombe asked the CJEU to invalidate (parts of) the July 10, 2023 adequacy decision. Specifically, it concerned the substance of Decision (EU) 2023/1795 by which the Commission determined that the U.S. provides an "adequate level of protection" under the DPF. (See Commission Implementing Decision (EU) 2023/1795 of July 10, 2023, OJ L 231, Sept. 20, 2023, p. 118-229.)
In his application, he argued that 1) the new Data Protection Review Court (DPRC) would not be truly independent and 2) U.S. intelligence agencies could still conduct bulk collection without prior authorization from a judge or independent authority. The CJEU substantively assessed and rejected these objections. With that, the DPF remains in force.
The date of the adequacy decision
The Court emphasizes that the assessment is made on the basis of the situation at the time the Commission made its decision. Thus, the question is not whether the U.S. safeguards are still adequate today or tomorrow, but whether they were so on July 10, 2023, the date of the adequacy decision. When the decision was made, an adequate level of protection existed, according to the Commission. The CJEU agrees. (CJEU (General Court) September 3, 2025, Case T-553/23, Latombe v. Commission, p.2.)
Independence DPRC
On the independence of the DPRC, the CJEU states that at the time there were clear safeguards around appointment, dismissal and working methods of the judges. For example, dismissals can only be made "for cause" by the Attorney General and neither the Attorney General nor the intelligence agencies may interfere with or influence the work. In this light, the Court rejects the argument that the DPRC is merely an extension of the executive branch. (CJEU (General Court) September 3, 2025, Case T-553/23, Latombe v. Commission, pp. 1-2.)
Bulk collection by U.S. intelligence agencies
With respect to bulk collection, the CJEU points to Schrems II. This ruling does not necessarily require prior authorization by an independent authority, but at least ex post judicial review. The case shows that the interception of electronic communications by U.S. intelligence agencies (so-called signal intelligence activities) is subject to ex post judicial review, including review through the DPRC. This, the CJEU said, does not demonstrate that the U.S. practice is necessarily below the EU threshold or that the level of protection is not "substantially equivalent." (CJEU (General Court) September 3, 2025, Case T-553/23, Latombe v. Commission, p.2.)
Adequacy requires maintenance
Furthermore, the CJEU emphasizes the Commission's ongoing monitoring obligation. As soon as U.S. law or practice changes such that the level of protection is no longer adequate, the Commission must suspend, modify or revoke. That mechanism underscores that adequacy is not a one-time stamp, but a judgment that can be subject to change. (CJEU (General Court) September 3, 2025, Case T-553/23, Latombe v. Commission, p.2.)
The Latombe ruling makes it clear that the DPF will stand for now. The CJEU confirms that the European Commission was allowed to designate the U.S. as adequate. This gives organizations predictability: they may continue to transfer personal data based on the DPF, without the need for additional contracts first. For thousands of companies that rely on U.S. cloud services or software, this is of great significance.
At the same time, the ruling shows that there are also vulnerabilities. Article 45 is read as a dynamic mechanism: the test looks at the legal and factual framework at the time of the decision, with a duty for the Commission to intervene again once the situation changes. Adequacy is thus not a guarantee for the future. (Article 45(3) and (4) AVG. See also ECJ EU (General Court) 3 September 2025, Case T-553/23, Latombe v. Commission, p.2.)
On top of that, previous Safe Harbour and Privacy Shield decisions were ultimately overturned by the Court. It is not inconceivable that an appeal in the Latombe case could have the same result. The bar is high: as soon as doubts arise about the independence of surveillance or the proportionality of surveillance, the Court could still intervene.
Palantir
The political context in the U.S. reinforces that uncertainty. Now that Donald Trump is president again, US privacy policy is under added pressure. Under his administration, Palantir, a technology company specializing in data analytics and artificial intelligence, is getting large contracts with federal agencies such as the IRS, the Pentagon and immigration authorities. Critics warn that this collaboration could lead to large-scale centralization of data and intensified surveillance, without transparency or sufficient safeguards. (The New York Times, "Trump and Palantir: A Data Powerhouse Reshaping How the U.S. Handles Americans' Information," May 30, 2025. Link: https://www.nytimes.com/2025/05/30/technology/trump-palantir-data-americans.html.) (The Guardian, "Palantir is a threat to Americans' freedoms - and Trump is giving it more power," June 30, 2025. Link: https://www.theguardian.com/commentisfree/2025/jun/30/peter-thiel-palantir-threat-to-americans.)
Medicaid data to ICE
Earlier, a move by the Trump administration showed that privacy can quickly become secondary to other interests: sensitive Medicaid data on millions of Americans, including name, address, Social Security number, immigration status and health claims, was shared with the Department of Homeland Security. (AP News. "Trump administration hands over nation's Medicaid enrollee data to ICE". July 17, 2025. Link: https://apnews.com/article/immigration-medicaid-trump-ice-ab9c2267ce596089410387bfcb40eeb7.)
According to privacy advocates, this likely violated federal health privacy law HIPAA. Twenty states, led by California, went to court to block the practice and demanded that the government stop it. (AP News, "20 states sue Trump administration over Medicaid data sharing with Homeland Security," July 2, 2025. Link: https://apnews.com/article/trump-medicaid-immigrant-california-161f7e1b9087512d674258f32f822878.)
Meanwhile, a federal judge in California has prohibited the sharing of Medicaid data with immigration authorities, and also ruled that the data already shared cannot be used for immigration enforcement.
ICE and spyware
Adding to this, the U.S. immigration agency ICE now uses the Israeli spyware Graphite, which can even penetrate encrypted apps such as WhatsApp and Signal. This program started under Biden, but is being continued and expanded by Trump, further adding to concerns about mass surveillance and lack of safeguards. (The Guardian, "Trump administration expands ICE use of Israeli spyware Graphite to monitor immigrants," Sept. 2, 2025. Link: https://www.theguardian.com/us-news/2025/sep/02/trump-immigration-ice-israeli-spyware?utm_source=chatgpt.com.)
The Latombe case provides breathing room for now, but does not resolve the fundamental tension. The DPF has not been invalidated, but the possibility of appeal remains. (Although even then it will be ruled ex-tunc.) The DPR may also come under pressure from political developments in the US. Organizations that rely heavily on U.S. infrastructure would therefore do well to remain alert. Specifically, it is wise not only to rely on the current situation, but to already look ahead.
Mapping data flows to US
A first step is to map out your own data flows to the US. What personal data is crossing the ocean, through which systems and for what purpose? Think of customer data processed in U.S. cloud services, payroll data flowing through a U.S. HR service provider, or communications through platforms that have their servers located outside the EU. Creating this overview also makes it clear which transfers now lean on the DPF and where other bases, such as standard contracts, are used. In this way, you can immediately see which processes are most vulnerable to a new legal twist.
Alternative transmission mechanisms.
Next, it is wise to think about fallback options. If the DPF were to fail tomorrow, what alternative mechanisms can your organization deploy? The most obvious are standard contracts (SCCs), but these require timely preparation and proper management. Organizations that have these ready to go now can move faster if the legal frameworks change again.
Secure
Also consider technical and organizational measures. Encryption, pseudonymization and data minimization are not a superfluous luxury, but practical ways to limit the risks of transmission. Especially with sensitive data, such as health information or financial data, this can play a crucial role. The advantage of such measures is that they reduce risks and reduce reliance on a single legal instrument. They do not replace a valid transfer order, but they do ensure that personal data remains better protected and make a move to alternative mechanisms, such as SCCs, easier and less invasive.
Alternative systems
Finally, it pays to look more broadly at the market. Many services that are now routinely purchased from U.S. providers are also available in Europe. Consider payroll or HR systems, for example: where many organizations automatically choose providers such as Workday or ADP, there are also European alternatives such as Personio from Germany, SD Worx from Belgium or Norway's Visma. Even with CRM systems, Salesforce has long been the obvious choice, while packages such as SuperOffice from Norway and Efficy from Belgium can be European alternatives.
Sectoral regulations
In addition to the AVG, additional regulations play a role in choosing IT and cloud services in many industries. Consider the Digital Operational Resilience Act (DORA) for the financial sector, the Cyber Resilience Act (CRA) for products with digital elements and the Critical Entities Resilience Directive (CER) for critical infrastructure. These frameworks emphasize security, continuity and control of supply chains. In doing so, they also indirectly influence whether an organization can afford to house critical services with U.S. parties, or whether a European provider is preferable. It can be useful to develop a transition scenario in advance. This does not necessarily mean that you migrate now, but it does mean that you know what alternative providers there are and how a switch can be practically executed. This will save you time and peace of mind if an unexpected switch does have to be made.
In short, the DPF is currently useful and practical, but those who think ahead and prepare alternatives and measures now will prevent a future legal twist from putting unexpected pressure on business operations. For organizations, this means that for now, data can go to the U.S. without additional barriers, but in practice protection remains highly dependent on political and legal developments. The key question of whether U.S. law truly provides an equivalent level of privacy protection has yet to be definitively answered.
This case thus does not mark an end point, but an intermediate station. Article 45 remains the central instrument for international transfers, but as long as the balance between economic interests and fundamental rights is on edge, any new decision will be under a magnifying glass.
