Court of Justice of the European Union Confirms Validity of EU–U.S. Data Privacy Framework

On 3 September 2025, the General Court of the European Union upheld the European Commission’s adequacy decision for the United States. The EU–U.S. Data Privacy Framework (DPF) remains valid as a legal basis for transatlantic data transfers.

For transatlantic business, the ruling is highly significant. By confirming the DPF, the Court provides much-needed predictability essential for trade, innovation, and investment.

Background 

The adequacy decision was adopted in July 2023 after the United States introduced new safeguards, including measures to strengthen oversight of intelligence activities. The European Court of Justice has now rejected a challenge and confirmed that the framework provides adequate protection.

Business Implications 

For U.S. companies in Europe, this ruling reduces legal risks and simplifies compliance. With clearer rules in place, companies can focus on growth and innovation opposed to contingency planning.

At the same time, the Court stressed that the framework requires ongoing monitoring. The adequacy decision is stable today but could be reviewed if conditions in the U.S. change. Companies should therefore welcome the clarity while remaining attentive to future developments. 

The judgment highlights the importance of a stable and predictable transatlantic business environment, where uncertainty is reduced and continuity allows business to thrive.

Looking ahead 

The ruling confirms that the EU–U.S. Data Privacy Framework can serve as a reliable basis for transatlantic data flows. Businesses should view this as an opportunity to plan with greater confidence while preparing for possible future reviews. 
Court of Justice of the European Union – Press Release No. 106/25, Judgment of the General Court in Case T-553/23, Latombe v Commission (3 September 2025).

Read the official press release on CURIA: https://curia.europa.eu/jcms/upload/docs/application/pdf/2025-09/cp250106en.pdf