On September 3, 2025, the General Court of the European Union decided not to declare the EU-US Data Privacy Framework invalid. This means that data transfers to the US based on the relevant adequacy decision of the EU Commission remain lawful.
A French citizen, who is also a commissioner of the French data protection supervisory authority (CNIL), had filed a lawsuit seeking to have the adequacy decision declared invalid. In addition to formal points of contention, the plaintiff had argued in particular that the Data Protection Review Court (DPRC) was neither impartial nor independent, but dependent on the US executive branch. Furthermore, he argued that the practice of US intelligence services collecting personal data in transit from the EU without prior authorization from a judge or independent authority was not regulated with sufficient clarity and precision.
The General Court, on the other hand, found that Executive Order 14086 fundamentally ensures the independence of the DPRC and that, following its decision, the EU Commission has a duty to continuously monitor the legal framework and can therefore suspend, amend, or limit the scope of the decision itself. With regard to the possible collection of data, the General Court considers that the subsequent judicial review possible under US law is sufficient to ensure legal protection equivalent to that in the EU.
Against this background, the General Court dismissed the action. An appeal to the Court of Justice of the European Union is possible.
'/%3e%3c/svg%3e){kind=small}
'/%3e%3c/svg%3e){kind=small}
