In July 2023, we reported in detail on the introduction of the Trans-Atlantic Data Privacy Framework (TADPF; now mostly referred to as DPF) and the new legal basis for data processing in the US that it created. About two years later, there has been a first important court ruling that could significantly influence the future of the agreement.
In this article, we summarize the current situation, explain the decision of the General Court (GC) of 03. September 2025 in case T-553/23, filed by Philippe Latombe, and highlight what website operators need to know now.
Why the TADPF is so important
With the TADPF, the European Commission was able to conclude a new agreement on data protection adequacy with the US in July 2023. Following the failure of “Safe Harbor” (2015) and the “Privacy Shield” (2020), this agreement provided website operators and companies with much-needed legal certainty regarding data transfers between the EU and the US.
The level of data protection in the US was considered inadequate by EU standards because security and intelligence services have extensive access to personal data, including that of EU citizens, based in part on FISA Section 702 (50 U.S.C. § 1881a), while non-US citizens have only limited legal recourse (i.e. they can take legal action against it). In addition, the CLOUD Act (amendments to the Stored Communications Act, 18 U.S.C. § 2713) allows US authorities to access data from US companies even if this data is stored in data centers outside the US – for example, when Microsoft stores data from European customers in Azure data centers within the EU. The ECJ ruled in its “Schrems II” judgment that these shortcomings were incompatible with EU standards.
The US committed itself through the Executive Order 14086 (a presidential decree that can be enacted and suspended by the current US president) and supplementary requirements in October 2022 under Joe Biden, the US committed to further restricting its intelligence services’ access to the personal data of EU citizens and to introducing new legal remedies. This includes, in particular, the Data Protection Review Court (DPRC) as an independent appeals body. This enabled the European Commission issue an adequacy decision in accordance with Art. 45 GDPR for the US, and website operators were finally able to use US services again with legal certainty on the basis of the adequacy decision.
Philippe Latombe’s lawsuit: General Court confirms adequacy decision
Shortly after the DPF came into force in October 2023, French member of parliament Philippe Latombe filed an urgent application (T-553/23) to immediately suspend the European Commission’s adequacy decision. This application was rejected. This was followed by the main proceedings at the General Court of the European Union (GC). After the verbal hearing on 01. April 2025, the judgment was announced (currently only available in French):
The lawsuit was dismissed.
Key statements by the court
- Test criterion: The General Court clarified that the GDPR does not require an identical level of data protection for adequacy decisions under Art. 45 GDPR – in relation to the date of the adequacy decision (July 2023).
- DPRC: The new appeals court in the US was deemed sufficiently independent and effective despite its anchoring in the executive branch.
- Surveillance: The court considers the restrictions imposed by Executive Order 14086 and other US regulations to be sufficient to meet the requirements of proportionality and necessity.
- Data security: The mechanisms for companies self-certified under the DPF are considered sufficient to comply with the requirements of the GDPR.
Latombe now has two months to appeal the judgment of the GC to the European Court of Justice (ECJ). If he chooses to do so, a decision by the ECJ as the highest court is not expected before mid-2027. We will therefore have to wait and see whether the ECJ confirms the judgment of the General Court in this case or assesses the data protection concerns raised differently.
What does the ruling mean for website operators?
The ruling means one thing above all else: For the time being, website operators can rest assured that DPF-certified US services can continue to be used on the basis of the current adequacy decision.
Complex alternative solutions such as standard contractual clauses or recourse to Art. 49 GDPR for certain individual cases will therefore continue to be unnecessary for common US services as of mid-2023. Please note, however, that if US services also process data in other unsafe third countries, such measures may still be necessary due to the data processing practices in those countries. Real Cookie Banner will show you this requirement when configuring services.
- Legal certainty remains for the time being: US services that are DPF certified can continue to be used without additional standard contractual clauses or long blocks of text in the cookie banner.
- No changes to existing integrations: Anyone who already uses US services such as Google, Meta, or Microsoft in accordance with the DPF and, where applicable, with the necessary consent, does not currently need to make any changes to their website.
- Caution with non-certified providers: US services without DPF self-certification remain unsafe unless standard contractual clauses or other appropriate safeguards are agreed upon.
Further lawsuit announced by Max Schrems and noyb
Probably the most well-known figure in this field is Austrian lawyer Max Schrems, founder of the data protection organization noyb. It was he who brought down the Safe Harbor Agreement with the “Schrems I! case (2015) and the Privacy Shield with “Schrems II” (2020) in front of the ECJ.
Shortly after the DPF came into force, Schrems announced his intention to challenge this agreement in court as well. In 2023 and 2024, corresponding complaints were filed with national data protection supervisory authorities, which may later be taken through national courts and ultimately to the ECJ. To our knowledge, Schrems has not yet been able to file a lawsuit in court, which is probably also due to the lengthy proceedings involved in complaints to data protection supervisory authorities. He has already taken this route in previous successful judgments.
Following the outcome of the Latombe case, Schrems is now likely to make a strategic decision: either he waits for the appeal to the ECJ in order to align his line of argumentation with it, or he pursues his own lawsuits in parallel. What is clear is that noyb continues to stand by its criticism – in particular of mass surveillance in the US and the limited independence of the DPRC.
Conclusion: Temporary relief, but no final solution
The ECJ ruling confirms the European Commission’s position and provides website operators with peace of mind and legal certainty for the time being. The integration of US services will therefore remain practicable for the coming years.
Political risks posed by the new Trump administration to roll back existing protective measures cannot be ruled out. As a result of such measures, the European Commission could revoke the decision during the next periodic review (scheduled for 2027). However, this scenario is considered unlikely, as both the US and the European Commission have economic interests in maintaining the adequacy decision.
In the long term, there remains a risk that the ECJ will overturn the adequacy decision. Things will get exciting again in 2027 at the latest, when the next scheduled review of the adequacy decision by the European Commission or a possible ECJ ruling is due!