Ruling on EU-US Privacy Framework Brings Relief, but Questions Remain, Panelists Say

Filed by French Parliament Member Philippe Latombe, the case sought annulment of the DPF (Latombe v. Commission, Case T-533/23) (see 2509030001). The EU court tossed Latombe's request, agreeing with the European Commission's 2023 decision that the U.S. adequately protected Europeans' personal data given the laws and facts that existed at the time.

"The ruling is based on the conditions as they were in 2023," the Norwegian Data Protection Authority said Thursday. "This means that it does not consider the developments of recent years."

The General Court noted that the EC is required to monitor its adequacy decision on the DPF continuously, IAPP Managing Director, Europe Isabelle Roccia said during the IAPP webinar.

A date for the next EC review of the DPF hasn't been set, but several factors could pressure it to schedule one sooner rather than later, Roccia added. For example, she noted interest from the European Parliament, EU governments and civil society could trigger a review.

In addition, actions such as President Donald Trump firing members of the U.S. Privacy and Civil Liberties Oversight Board (see 2501280044) and the FTC (see 2503190049) could also trigger a quicker review, Roccia said.

The General Court's decision, which won strong praise from privacy practitioners, was a victory for the EU and U.S., but not in the way they intended, IAPP Director of Research & Insights Joe Jones said.

The EU argued that Latombe's case should not have been heard because he was seeking annulment as a private citizen, not in his capacity as a French legislator, and therefore lacked standing to sue, Jones noted.

The European Commission and U.S. government had wanted the court to focus on the issue of standing, but it didn't. Instead, Jones said, the court ruled on the substance of the issues, which means any appeal will focus on the substance rather than on the procedural issue of standing.

The ruling has wider implications, Hogan Lovells data, privacy and cybersecurity attorney Julie Schwartz said in a blog post Wednesday.

For instance, it's relevant for the Swiss-U.S. Data Privacy Framework that was adopted in parallel to the EU decision and mirrors many of its main elements, Schwartz said. While Switzerland isn't bound by the General Court decision, its confirmation of adequacy under the DPF "strengthens the legitimacy and perceived stability of the Swiss framework as well."

Similarly, the ruling also has "significant practical implications for transfers" to the U.S. from the U.K., given that Britain has adopted a mirror mechanism based entirely on the DPF, Schwartz wrote. Like Switzerland, the U.K. isn't bound by decisions of the General Court and European Court of Justice, but an annulment of the DPF "would have put the UK in a very delicate situation to either uphold the decision or otherwise differ from the EU's position."

"By dismissing Latombe's action, the General Court also released the U.K. Government and any U.K. companies relying on the DPF for data transfers from both political and legal uncertainty," Schwartz noted.

She cautioned, however, that "while the judgment is a decisive first-stage victory for transatlantic data transfer stability, the door remains open to future turbulence."

She urged businesses to monitor developments and have contingency plans such as standard contractual clauses or binding corporate rules to mitigate transfer risks in the event of future legal or political uncertainty that spark further attempts to invalidate the DPF.