Blog

EU Court Confirms EU-US Data Privacy Framework Validity

By Chris Linnel 3 September 2025 2 min read

On the 3rd September, the EU General Court upheld the European Commission’s adequacy decision for the EU-US Data Privacy Framework (DPF). A challenge from French MP Phillipe Latombe was dismissed, meaning the DPF continues to stand as a lawful way to move personal data from the EU to the United States.

A Quick Refresher: What is the DPF?

The framework was set up to give businesses a clear and legally recognized route for transferring data across the Atlantic. US-based organizations can choose to certify to the scheme through the Department of Commerce, agreeing to follow a set of privacy principles around security, accountability and individuals’ rights. In return, EU regulators recognize those organizations as offering an “adequate” level of protection.

Why Does This Matter?

For many businesses, the ruling brings short-term certainty. If you’re already using the DPF, you can continue to do so with confidence, and if you’re considering expanding operations into the US, it offers a straightforward transfer option.

But it’s also worth remembering the track record: both Safe Harbor and Privacy Shield fell under legal challenge on similar grounds, and campaigners have already signaled that further appeals are likely. That means the framework may not be the last word in EU-US data transfers.

Recommended Actions

Given this context, organizations should not assume that the DPF represents a permanent solution. We recommend that organizations subject to the EU GDPR:

Maintain ongoing awareness of legal and regulatory developments in this area: Monitoring the progress of appeals, new guidance from regulators, and developments in the US legal landscape is essential. Staying ahead of changes helps avoid last-minute compliance work and ensures you can adapt quickly if the framework is challenged again.
Evaluate whether reliance on the DPF alone is sufficient for risk management purposes: You should review the nature of the data your organization is transferring and assess whether the DPF on its own offers enough assurance. For example, highly sensitive or high-volume transfers may require stronger safeguards than the framework alone provides. Completion of Transfer Impact Assessments (TIAs) or Transfer Risk Assessment (TRA) can help identify whether additional protections are needed, and whether your organization is comfortable with the residual risk.
Implement alternative transfer mechanisms: If deemed necessary, strengthen your position by putting alternative transfer tools, such as Standard Contractual Clauses (SCCs), in place as a contingency. Implementing SCCs alongside the DPF provides a safety net if the framework is invalidated in the future. This doesn’t mean duplicating work unnecessarily but preparing template agreements, updating vendor contracts, or ensuring internal processes can quickly pivot to SCCs if needed. Organizations that take this “belts and braces” approach are less likely to face business disruption or regulatory risk if the legal position shifts.

Looking Ahead

The Court’s decision offers much-needed stability for now, but it would be unwise to see it as permanent. Treating the DPF as one part of a broader strategy - rather than your only safeguard - will give your organization more resilience if the legal landscape shifts again.

All Blogs