On September 3, 2025, the European General Court (General Court) dismissed an action challenging the EU–U.S. Data Privacy Framework (DPF), developed to provide U.S. organizations with a reliable means to transfer personal data from the United States to the European Union, consistent with EU law.
The General Court’s judgment in case T-553/23, Philippe Latombe v European Commission, confirms that “the United States ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country,” the Court’s press release states. The General Court and the Court of Justice make up the Court of Justice of the European Union (CJEU).
This decision means that entities that have self-certified compliance with the DPF may, for now, continue to rely on that mechanism for personal data transfers to the United States from the European Union (EU). The self-certification process includes, for example, a description of an organization’s activities with regard to all personal data received from the European Union in reliance on the EU-U.S. DPF, the organization’s policies covering such data, the types of data processed and, if applicable, the type of third parties to which it discloses such personal information.
As reported in a June 3, 2022 press release from the House Committee on Energy and Commerce, U.S. Representatives Frank Pallone, Cathy McMorris Rodgers, and Senator Roger Wicker released a “discussion draft” of a federal data privacy bill entitled the “American Data Privacy and Protection Act” (the “Draft Bill”), which would impact the data privacy and cybersecurity practices of virtually every business and not-for-profit organization in the United States.
As further described below, the Draft Bill’s highlights include: (i) a comprehensive nationwide data privacy framework; (ii) preemption of state data privacy laws, with some exceptions; (iii) a private right of action after four (4) years, subject to the individual’s prior notice to the Federal Trade Commission (“FTC”) and applicable state attorney general before commencement of lawsuit; (iv) exemptions for covered entities that are in compliance with other federal privacy regimes such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Gramm-Leach Bliley Act (“GLBA”) solely with respect to data covered by those statutes; (v) exclusions from Act’s requirements for certain “employee data”; and (vi) a requirement for implementation of reasonable administrative, technical and physical safeguards to protect covered data. The Draft Bill would be enforced by the FTC, and violations treated as unfair or deceptive trade practices under the Federal Trade Commission Act, as well as by state attorneys general.
Blog Editors
Recent Updates
- Video: New H-1B Visa Fee, EEOC Shutters Disparate Impact Cases, Key Labor Roles Confirmed - Employment Law This Week
- New $100,000 H-1B Fee Proclamation – Implications and Action Steps
- Video: FTC Backs Off Non-Compete Ban, Warns Health Care Employers - Employment Law This Week
- Artificial Intelligence and Disparate Impact Liability: How the EEOC’s End to Disparate Impact Claims Affects Workplace AI
- Reminder: Massachusetts Salary Range Disclosure Requirements Take Effect in October