The European Union’s General Court, the bloc’s second-highest court, has handed Brussels and Washington a crucial win: it upheld the US-EU Data Privacy Framework, dismissing a French challenge that sought to annul the 2023 agreement allowing personal data to move freely across the Atlantic.
This sounds technical. It isn’t. The ruling affects everything from sending an email, booking a hotel or storing photos in the cloud. American and European companies depend on moving personal information — names, emails, credit card numbers, even browsing histories — from Europe to servers in the US. More than 2,800 US companies — from Silicon Valley tech giants to small service providers — have signed up to the framework. Without it, they could no longer process Europeans’ data. The result would be digital chaos, disrupting business worth hundreds of billions of euros annually.
The issue underlines a fundamental transatlantic split over privacy protections. Europe has enacted a strong privacy law, the General Data Protection Regulation. It limits government access to personal data. If data is sent outside the 27-nation European Union, the receiving country must provide equal protection, so-called adequacy.
Many other countries, from Japan to the UK, have responded by enacting European-style privacy laws. But the US has no national privacy protections. This gap has turned transatlantic data transfers into a tension-filled battleground.
Twice before, Europe’s highest judges knocked down earlier agreements. In 2015, in a case known as Schrems I, the European Court of Justice invalidated a Safe Harbour deal. In 2020, in Schrems II, it did the same to the first Privacy Shield. Both rulings said that US surveillance laws allowed intelligence agencies too much access to European data.
To avoid another rupture, Washington and Brussels negotiated a new Data Privacy Framework, which the European Commission declared “adequate” in July 2023. The deal created new limits on intelligence collection and, crucially, set up the Data Protection Review Court. This body allows Europeans to challenge US surveillance of their data.
French MEP Latombe was unconvinced. He sued, claiming the US Data Protection Review Court was not truly independent, as it sits within the Department of Justice, and that US agencies still collect data in bulk without proper oversight.
The European General Court disagreed. It ruled that the Data Protection Review Court contains safeguards that prevent executive interference, and that bulk data collection is subject to judicial review afterwards.
For companies, the alternative was grim. Without the Data Privacy Framework, firms would need to rely on complex legal tools such as standard contractual clauses to transfer data — mechanisms that are cumbersome, expensive, and vulnerable to further litigation.
This stability is particularly important in today’s digital economy. Cloud services, social networks, and artificial intelligence training all rely on large-scale data transfers. Halting them would hurt innovation and trade.
The story is not over. Latombe can appeal to the Court of Justice, the EU’s highest court, which twice before dismantled similar frameworks. That court has a reputation for taking a harder line on privacy. And politics matters. The General Court’s judgment considered the situation in mid-2023. But privacy advocates argue that US commitments are fragile — based on executive orders that a future president can revoke, not laws passed by Congress.
Since then, Donald Trump has returned to the White House and removed three Democratic members of the Privacy and Civil Liberties Oversight Board, leaving it without a quorum. Austrian activist Max Schrems, whose lawsuits brought down Safe Harbour and Privacy Shield, argues that the firings show the United States no longer offers protections “essentially equivalent” to those guaranteed in Europe. His NGO, None of Your Business, warns the framework may not withstand scrutiny.
The European Commission has promised to review the framework again in 2027. For now, the transatlantic data bridge stands. The ruling buys Brussels and Washington time. But history suggests caution. Each new legal challenge risks throwing the system into turmoil.
Dr. Anda Bologa is a senior researcher in the Tech Policy Program at the Center for European Policy Analysis (CEPA).
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
2025 CEPA Forum Tech & Security Conference
Explore the latest from the conference.
