Today (3 September 2025), the EU General Court upheld the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF). A challenge from French MP Phillipe Latombe was dismissed, meaning the DPF continues to stand as a lawful way to move personal data from the EU to the United States. 

A Quick Refresher: What is the DPF? 

The framework was set up to give businesses a clear and legally recognised route for transferring data across the Atlantic. US-based organisations can choose to certify to the scheme through the Department of Commerce, agreeing to follow a set of privacy principles around security, accountability and individuals’ rights. In return, EU regulators recognise those organisations as offering an “adequate” level of protection. 

Why Does This Matter? 

For many businesses, the ruling brings short-term certainty. If you’re already using the DPF, you can continue to do so with confidence, and if you’re considering expanding operations into the US, it offers a straightforward transfer option. 

But it’s also worth remembering the track record: both Safe Harbour and Privacy Shield fell under legal challenge on similar grounds, and campaigners have already signalled that further appeals are likely. That means the framework may not be the last word in EU-US data transfers. 

Recommended Actions 

Given this context, organisations should not assume that the DPF represents a permanent solution. We recommend that organisations subject to the EU GDPR: 

• Maintain ongoing awareness of legal and regulatory developments in this area: Monitoring the progress of appeals, new guidance from regulators, and developments in the US legal landscape is essential. Staying ahead of changes helps avoid last-minute compliance work and ensures you can adapt quickly if the framework is challenged again. 
• Evaluate whether reliance on the DPF alone is sufficient for risk management purposes: You should review the nature of the data your organisation is transferring and assess whether the DPF on its own offers enough assurance. For example, highly sensitive or high-volume transfers may require stronger safeguards than the framework alone provides. Completion of Transfer Impact Assessments (TIAs) or Transfer Risk Assessment (TRA) can help identify whether additional protections are needed, and whether your organisation is comfortable with the residual risk.
• Implement alternative transfer mechanisms: If deemed necessary, strengthen your position by putting alternative transfer tools, such as Standard Contractual Clauses (SCCs), in place as a contingency. Implementing SCCs alongside the DPF provides a safety net if the framework is invalidated in the future. This doesn’t mean duplicating work unnecessarily but preparing template agreements, updating vendor contracts, or ensuring internal processes can quickly pivot to SCCs if needed. Organisations that take this “belts and braces” approach are less likely to face business disruption or regulatory risk if the legal position shifts. 

Looking Ahead 

The Court’s decision offers much-needed stability for now, but it would be unwise to see it as permanent. Treating the DPF as one part of a broader strategy - rather than your only safeguard - will give your organisation more resilience if the legal landscape shifts again.