Introduction
On 3rd September 2025, the General Court of the European Union delivered its judgment in Case T-553/23, Philippe Latombe v. European Commission, whereby it dismissed the action brought by Mr. Philippe Latombe (the “Applicant”) seeking the annulment of the European Commission’s Implementing Decision (EU) 2023/1795 on the adequate level of protection of personal data under the EU-US Data Privacy Framework (the “Adequacy Decision”). The Applicant sought the annulment of the Adequacy Decision on the basis that the EU-US Data Privacy Framework (the “DPF”) does not afford a level of protection of personal data essentially equivalent to that guaranteed within the European Union under the General Data Protection Regulation (the “GDPR”) and the Charter of Fundamental Rights of the European Union (the “Charter”).
Background of the Case
The Charter enshrines the right of every person to the protection of his or her personal data. On this basis, and to avoid compromising the level of protection conferred within the EU, the GDPR lays down the rules applicable to the international transfers of personal data. In accordance with those rules, if the European Commission considers that a third country ensures an adequate level of protection, transfers of personal data to that country may take place without further authorisation, on the basis of an adequacy decision adopted by the Commission.
This case followed a long history of judicial scrutiny over the European Commission’s adequacy decisions on EU–US data transfer mechanisms. The Schrems I judgment of 6 October 2015 (Case C-362/14) had invalidated the “Safe Harbour” agreement, finding that United States law permitted public authorities to access personal data on a mass scale without sufficient safeguards. Later, the Schrems II judgment of 16 July 2020 (Case C-311/18) invalidated the “Privacy Shield” adequacy decision for similar reasons, particularly the absence of effective judicial redress and the broad powers of US intelligence agencies.
On 7 October 2022, the US adopted Executive Order 14086 that strengthened the privacy safeguards governing activities carried out by intelligence agencies established in the US. That order was supplemented by an Attorney General Regulation that amended the provisions governing the establishment and functioning of the Data Protection Review Court (the “DPRC”). Following an examination of those regulatory developments in the US, the Commission adopted its Adequacy Decision on 10th July 2023, which put in place the new transatlantic framework for personal data flows between the EU and the US, the DPF.
Against this background, the Applicant, a French citizen and user of various IT platforms that collect his personal data and transfer them to the US, asked the General Court to annul the Adequacy Decision. According to the Applicant, the DPRC is neither impartial nor independent, but dependent on the executive. Moreover, he argued that the practice of the US intelligence agencies gathering large amounts of personal data while in transit from the EU, without the prior authorisation of a court or an independent administrative authority, is not restricted in a sufficiently clear and precise manner and is, therefore, illegal.
Considerations of the Court
The Applicant’s challenge was structured around five pleas in law. The Court considered primarily four substantive ones: (i) violation of Articles 7 and 8 of the Charter (right to private and family life and protection of personal data), (ii) infringement of Article 47 of the Charter (right to an effective remedy and to a fair trial) and of Article 45(2) of the GDPR (transfers on the basis of an adequacy decision), (iii) breach of Article 22 of the GDPR (automated processing decisions), and (iv) insufficiency of safeguards regarding data security under Article 32 of the GDPR.
1. Independence and Impartiality of the DPRC
The Court first considered the Applicant’s argument that the DPRC was not an “independent and impartial tribunal previously established by law,” as required by Article 47 of the Charter and Article 45(2) GDPR. He claimed that the DPRC, created by an Attorney General order rather than an act of Congress, remained part of the executive branch and lacked sufficient guarantees of independence.
The Court rejected this argument. It first recalled that the Commission’s task, when adopting an adequacy decision, is not to ensure identical protection but one that is essentially equivalent to EU standards. Drawing on the case-law of the European Court of Justice and the European Court of Human Rights, the Court held that the requirement that a tribunal be “established by law” is functionally tied to guarantees of independence and impartiality and does not necessarily require a legislative act.
The Court examined the legal framework of the DPRC and found several safeguards ensuring its independence:
- The DPRC was created by the Attorney General pursuant to Executive Order 14086, under a lawful delegation of authority.
- Judges of the DPRC are appointed for fixed terms and may only be removed for specified reasons.
- Judges are explicitly protected from day-to-day supervision or interference by the Attorney General or the intelligence services.
- The Privacy and Civil Liberties Oversight Board (PCLOB), though situated within the executive branch, is an independent agency tasked with monitoring compliance by the DPRC and the Civil Liberties Protection Officer (CLPO).
The Court noted that these safeguards collectively ensure independence equivalent to that required by EU law, and that effective judicial protection could be ensured not only by a court belonging to the judicial order, but also by any other ‘body’ that offered persons whose data were transferred to the US guarantees essentially equivalent to those required by Article 47 of the Charter. The plea was therefore dismissed.
2. Bulk Collection of Personal Data and the Right to Privacy
The Applicant also claimed that bulk collection of data in transit from the EU by US intelligence agencies under the DPF was not subject to prior judicial or administrative authorisation, contrary to the requirements of Articles 7 and 8 of the Charter. He argued that US intelligence agencies could collect vast quantities of data, without that access being subject to any judicial review, contrary to EU standards and to the reasoning of Schrems II.
The Court first clarified that mass collection, meaning indiscriminate, generalised surveillance, is not authorised under US law. However, bulk collection of signals intelligence can occur outside the United States when targeted collection is impossible and only for six specific national-security objectives: protection against terrorism, espionage, weapons of mass destruction, cyber threats, threats to US or allied personnel, and transnational crime.
The Court observed that the DPF confines bulk collection to situations where targeted collection is unfeasible, restricts it to specific threats, and requires data-minimisation, proportionality, and periodic review. Independent bodies such as the PCLOB, inspectors general, and congressional committees, monitor compliance, while the DPRC provides an enforceable avenue for complaints.
Taken together, these mechanisms ensured that access to EU data is limited, supervised, and proportionate. The Court therefore held that the absence of prior judicial authorisation does not undermine adequacy, since the overall system offers equivalent protection in substance. The Applicant’s second plea was therefore dismissed in its entirety.
3. Automated Decision-Making and Data Security
Lastly, the Applicant argued that the DPF did not adequately protect EU citizens against decisions based solely on automated processing and failed to ensure appropriate data security measures.
The Court rejected these claims. Referring to a 2018 Commission study, it noted that participating US organisations are bound by DPF principles equivalent to Articles 22 and 32 GDPR and that there was no evidence of decisions being made solely by automation. Sector-specific US laws, particularly in credit, insurance, and employment, provide substantive safeguards.
As to data security, the Court found that the DPF incorporates robust obligations equivalent to those under Article 32 GDPR. The terms “create,” “maintain,” “use,” “store,” and “disclose” within the DPF’s annexes encompass all forms of data processing and implicitly require the implementation of appropriate security measures, including when consulting data. Therefore, the framework sufficiently protects against unauthorised access or processing. Therefore, these pleas were also dismissed by the Court.
Conclusion
After addressing each of the Applicant’s arguments, the General Court concluded that none of the pleas could succeed and dismissed the action in its entirety. The Commission’s assessment that US law ensures an “adequate level of protection” for personal data under the DPF was lawful.
This judgment represents a pivotal confirmation of the EU–US Data Privacy Framework’s legality and a reaffirmation of the European Commission’s discretion under Article 45 GDPR. The General Court adopted a pragmatic approach to “essential equivalence,” recognising that adequacy does not require the replication of EU rules, but a framework that achieves comparable results in practice. It held that the DPRC satisfies Article 47 Charter requirements for independence, and that the absence of prior judicial authorisation for bulk data collection is offset by comprehensive oversight, proportionality rules, and enforceable redress.
This judgment restores a measure of stability to transatlantic data transfers following Schrems I and Schrems II. While further appeals to the Court of Justice are possible, the ruling suggests judicial confidence in the DPF’s reformed safeguards and its compliance with EU fundamental-rights standards.
Disclaimer: Ganado Advocates is responsible for contributing to this law report but was not in any way involved as legal advisor for the parties in the judgement being covered in this law report. This article was first published in ‘The Malta Independent’ on 29/10/2025.
Author
Related Articles
More Insights
