On September 3, 2025, the European General Court (General Court) dismissed an action challenging the EU–U.S. Data Privacy Framework (DPF), developed to provide U.S. organizations with a reliable means to transfer personal data from the United States to the European Union, consistent with EU law.
The General Court’s judgment in case T-553/23, Philippe Latombe v European Commission, confirms that “the United States ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country,” the Court’s press release states. The General Court and the Court of Justice make up the Court of Justice of the European Union (CJEU).
This decision means that entities that have self-certified compliance with the DPF may, for now, continue to rely on that mechanism for personal data transfers to the United States from the European Union (EU). The self-certification process includes, for example, a description of an organization’s activities with regard to all personal data received from the European Union in reliance on the EU-U.S. DPF, the organization’s policies covering such data, the types of data processed and, if applicable, the type of third parties to which it discloses such personal information.
Blog Editors
Recent Updates
- Podcast: Non-Competes in 2026 - FTC Signals Major Policy Shift – Employment Law This Week
- In Lawsuits, Facts Matter. Employers That Embrace DEI Can Weather the Storm
- Video: NLRB Shifts Enforcement, DOL’s Non-Union Focus, and EEOC’s DEI Crackdown - Employment Law This Week
- After Ames, the Third Circuit Ends New Jersey’s Background Circumstances Rule for Reverse Discrimination Claims
- SEC Issues New Guidance Under Rule 701 for Employee Equity Compensation