Under the EU-U.S. Data Privacy Framework (DPF), companies from the EU can transfer personal data to the United States. The data protection agreement is intended to ensure a comparable level of data protection in the United States. The General Court of the European Union has now issued its first ruling on whether the DPF meets the requirements of European law (judgment of 3 September 2025 – Ref.: T-553/23).
The facts
A French plaintiff challenged the Commission’s adequacy decision of 10 July 2023, on the EU-US Data Privacy Framework (DPF). The plaintiff argued that the Data Protection Review Court (DPRC) established in the U.S. was not independent and therefore did not provide effective legal protection under Article 47 of the EU Charter of Fundamental Rights. The plaintiff also criticised the DPF for allowing U.S. authorities to conduct mass surveillance without judicial oversight.
The aim of the lawsuit was to have the adequacy decision regarding the EU-US Data Privacy Framework declared invalid.
Current judgements on the GDPR
Read our regular reviews of data protection law rulings to stay up to date!
The ruling
The General Court of the European Union dismissed the action in its entirety. It found that, despite its establishment by executive order, the DPRC has sufficient institutional and procedural safeguards to be considered an independent and impartial body. These include
- fixed terms of office with protection against arbitrary dismissal,
- selection criteria similar to those for federal judges, and
- review mechanisms by other supervisory bodies.
With regard to surveillance practices, the General Court emphasised that although the collection of large amounts of personal data is not excluded, it is subject to strict conditions. Prior judicial authorisation is not mandatory under EU law as long as other effective control mechanisms are in place.
Overall, the court therefore confirmed the EU Commission’s assessment that the U.S. offers a level of protection under the EU-US Data Privacy Framework that is essentially equivalent to that of the EU.
Data protection assessment
In practice, the ruling initially means legal and planning certainty: The Commission’s current adequacy decision remains valid. Companies can therefore continue to rely on the DPF as the legal basis for data transfers to the U.S.
However, the decision also shows that the General Court focuses less on the formal legal nature of the guarantees and more on their practical effectiveness. This makes it clear that the decisive factor is whether data subjects have effective access to legal protection, and not whether this has been established by law or executive act. This is relevant for German practice, as supervisory authorities and courts must follow this functional logic of the General Court when assessing third-country transfers.
It remains critical that even data collection without cause is considered compatible under certain circumstances. Although data subjects have formal legal protection, they must accept that U.S. authorities can act on the basis of far-reaching powers. Companies should therefore document the use of the DPF in detail and also review technical and organisational protective measures.
Conclusion
The General Court strengthens the position of the European Commission and stabilises transatlantic data transfers. For companies, this creates legal certainty, at least in the short term.
In the long term, however, it remains to be seen whether the decision will also stand up before the European Court of Justice (ECJ), the highest instance, should it be reviewed. It is also foreseeable that there will be further lawsuits challenging the DPF.
In practice, the adequacy decision is currently still a suitable guarantee under Art. 45 GDPR, but careful risk assessment for U.S. transfers is still required. A Schrems III decision cannot be ruled out. Organisations should have a plan B in place if necessary.
