The European Commission’s Rejection of Latombe

Transatlantic data flows between the U.S. and the European Union have a turbulent history. The first two attempts at creating a sustainable, legal framework that allows American companies to process the personal data of European citizens in a manner which is compliant with the General Data Protection Regulation (GDPR) have not survived judicial review. However, the latest attempt to regularize transatlantic data transfers has survived its first courtroom challenge.

In September, the General Court of the EU rejected a case seeking to strike down the European Commission’s adequacy decision approving the EU–U.S. Data Privacy Framework (DPF). For now, the framework remains in place. But the judgment may say more about the weaknesses of the challenger’s arguments than the strength of the agreement itself.

The case was brought before the court by Philippe Latombe, a French parliamentarian who argued that the DPF was little more than a cosmetic fix for deep-seated problems: disproportionate U.S. surveillance, inadequate redress, and weak protections against automated decision-making. Notably, his challenge echoed the famous Schrems I and Schrems II litigation that dismantled the Safe Harbor and Privacy Shield regimes due to U.S. government surveillance and inadequate protection of EU citizens’ data.

Latombe’s action was narrow, rushed, and ultimately unsuccessful. The court’s dismissal of this case vindicates the European Commission for now, but it leaves the DPF politically fragile and legally untested at the Court of Justice of the European Union (CJEU). What’s more, the rejection also leaves the DPF especially vulnerable to shifts in Washington, where the framework rests on a revocable executive order and a shaky oversight board.

Background

To recap, the Data Privacy Framework, adopted in July 2023, is the European Commission’s third attempt at restoring legal certainty for transatlantic data flows. Like Safe Harbor and Privacy Shield before it, the framework relies on U.S. companies to voluntarily certify compliance with a set of privacy principles and submit to oversight by the Department of Commerce and the Federal Trade Commission. What distinguishes the DPF is not corporate obligations, but changes at the government level: President Biden’s Executive Order 14086, which implements the DPF, imposes binding “necessity and proportionality” limits on signals intelligence activities and creates the Data Protection Review Court (DPRC), a new two-tier mechanism intended to give EU individuals an independent form of redress.

Safe Harbor, struck down in Schrems I (2015), collapsed because the European Commission’s 2000 adequacy decision offered little more than corporate self-certification, while leaving U.S. surveillance powers untouched. That made it impossible for EU citizens to enjoy protections equivalent to those guaranteed under EU law. Its successor, the Privacy Shield (2016), was designed to patch those holes with more detailed corporate rules, stronger enforcement by U.S. regulators, and an “ombudsperson” mechanism to handle complaints about government surveillance. But in Schrems II (2020) the CJEU found those reforms inadequate: The ombudsperson lacked independence and binding powers, and the underlying U.S. surveillance regime still permitted disproportionate bulk access to EU data. The European Commission drafted the DPF to address the criticisms raised in Schrems I and II.

The DPRC—according to the European Commission—is meant to be more than the Privacy Shield’s ombudsperson: Its members have tenure protections, its decisions are binding on U.S. intelligence agencies, and its procedures are overseen by the U.S. attorney general. The Biden White House also pitched Executive Order 14086 as a direct response to the CJEU’s proportionality concerns, requiring surveillance to be targeted and subject to layered oversight. Whether these innovations amount to essential equivalence with the GDPR in practice—a standard outlined in Schrems I and Schrems II—remains contested.

The Challenge and Judgment

Latombe’s challenge to the DPF was based on three pillars.

The first pillar is that the DPF breaches a European citizen’s fundamental rights, and the General Data Protection Regulation, because it lacks an effective, independent tribunal. Indeed, Latombe argued that the DPRC is merely a “para-judicial body under the executive power” (this phrase was translated from the decision’s original French “un organe parajuridictionnel dépendant du pouvoir exécutif”). Latombe argued that given how judges cannot be appointed to the DPRC without the attorney general first consulting the Privacy and Civil Liberties Oversight Board (PCLOB), judicial appointments to the DPRC cannot be impartial.

According to Latombe, since the PCLOB is established by the executive, appointments cannot be considered impartial. This argument was rejected by the court, which cited that the PCLOB’s composition must be bipartisan and those appointed cannot be current members of government. The court examined the framework in which the DPRC was established, including both the rules on the qualification and executive oversight of the DPRC judges, as well as the impact of their decisions on the actions of the intelligence agencies conducting the data collection. The court ultimately found that the DPRC did meet the standard of an independent and impartial tribunal.

The second pillar of Latombe’s argument was that the DPF does not prevent the bulk collection of data and that this bulk collection breaches a European citizen’s fundamental rights. Latombe argued that since indiscriminate data collection and retention by European entities is prohibited under the Charter of Fundamental Rights, U.S. participation in bulk signals intelligence collection cannot possibly satisfy the “essential equivalence” test required for an adequacy decision. The court rejected this argument. It noted that the Foreign Intelligence Surveillance Act (FISA)—which grants the U.S. government the authority to “collect, analyze, and appropriately share foreign intelligence information about national security threats”—authorizes only targeted collection, rather than Latombe’s claim of indiscriminate bulk surveillance.

What’s more, Latombe argued that bulk collection of data was unlawful under European law because it did not require prior authorization for the collection activity. His argument here was complicated: He claimed that the absence of judicial review (as was successfully argued in Schrems II where the court held that processing of personal data without the means of judicial redress breached the Charter of Fundamental Rights and hence the GDPR) means that the bulk collection by American agencies is unlawful. However, Latombe conflates the concept of judicial review (contrôle judiciaire) with a requirement for prior judicial authorization for targeted bulk collection. This argument was rejected by the court, which stated that nowhere in Schrems II was it ever stated that prior judicial authorization was required for collection. The court then confirmed that the presence of the DPRC, although ex post (where the review takes place after the data has been collected), was sufficient to meet the Schrems II judicial supervision requirements. The court also confirmed that the limitations that Executive Order 14086 places on the collection of intelligence data are sufficient to ensure that its protections are substantially equivalent to those provided by the GDPR.

Latombe’s third pillar relates to Article 22 of the GDPR, which gives individuals the right not to be subject to decisions based solely on automated processing—including profiling—that produce legal or similarly significant effects. Rather than relying on national security arguments, Latombe shifted his focus to the commercial use of algorithms. He claimed that the absence of a general, across-the-board prohibition on such automated decision-making in U.S. law made the DPF incompatible with the GDPR.

The court rejected this claim, emphasizing three points: First, that in many situations where data is transferred under the DPF, the GDPR still applies to the controller or processor, so Article 22 protections continue to bind them. Second, in areas most likely to involve significant automated decisions—for example, credit scoring, housing, employment, insurance, and access to finance—U.S. sectoral legislation restricts the use of automated decisions and provides redress against algorithmic discrimination. And third, while acknowledging that some residual cases fall outside both the GDPR and U.S. sectoral rules, the court determined that these situations are limited and therefore not sufficient to undermine the overall adequacy of protection. The court concluded that the European Commission had not erred in finding that the U.S. framework provided a level of protection for individuals that is essentially equivalent to that guaranteed within the EU.

Risks to the DPF Persist

The court’s decision affirmed that the DPF remedies the deficiencies of both Safe Harbor and Privacy Shield. Despite this judgment, the risks to the DPF have not, in reality, been materially abated.

The judgment notes that the DPF is the product of an executive order, not a law passed by Congress. Sitting presidents are able to revoke executive orders at will. Indeed, on the first day of his second term, President Trump revoked more than 80 executive orders covering a range of topics, including foreign aid, climate change, labor, biotech, and more. If Trump or any future U.S. president simply felt like it, he or she could revoke Executive Order 14086 at any given time. This is unlikely, however, unless the president seeks to rescind the adequacy decision between the United States and the European Union. This would mean that transatlantic data flows would be limited to situations in which the data subject had given explicit (and revocable) consent, or the transatlantic parties add a set of either standard contractual clauses or binding corporate rules. In any case, rescinding Executive Order 14086 would lead to increased costs in doing business and a murkier and more problematic legal environment for transatlantic data flows.

A potential larger challenge to the DPF is the reliance on the PCLOB. More specifically, judgment in Latombe places emphasis on the PCLOB’s role as a fundamental component of the DPF, as it provides oversight of both intelligence collection activities as well as the DPRC. But the PCLOB might not be as effective as the court likely believes. Another of President Trump’s acts early in his second term was the firing of the three Democratic members of the PCLOB. These firings are currently being contested in court, but as it stands the PCLOB doesn’t have a quorum and thus is unlikely to be able to open new investigations. As such, its effectiveness and its activities as envisaged by the DPF are in question. What’s more, the DPF doesn’t explicitly deal with Executive Order 12333. Notably, this executive order is different from a FISA 702 warrant in that it doesn’t create a mechanism to compel an American entity to transfer personal data. Instead, Executive Order 12333 permits the collection of data without judicial authorization and relies solely on executive oversight. While Latombe didn’t raise this as a principal issue, this order—paired with a weakened PCLOB —could provide an avenue for governments to sidestep the DPF, assuming that an intelligence agency can collect information without the assistance of the American data controller. Such an approach would be incompatible with the GDPR. This possibility has yet to be litigated—Executive Order 12333 was mentioned in passing in Schrems II but was not dealt with substantively.

The court dealt with challenges raised by Latombe that related to bulk collection of data and judicial oversight and their incompatibility with fundamental rights, specifically in relation to La Quadrature du Net and Big Brother Watch, a European Court of Human Rights decision. The court distinguished both of these cases from the Latombe application and arguably used quite a narrow framing of the principles raised in the cases to do so. It is unclear whether the CJEU would take such an approach.

***

Latombe has a short window open to appeal the court’s decision. So far, he has not done so. But were he to do so, the CJEU may find that he has insufficient standing for them to hear the appeal (the court’s decision did not address whether Latombe had sufficient standing to bring the case in the first place, on the basis that the questions raised were of sufficient interest to the administration of justice). As such, there is a reasonable chance that the CJEU will not reconsider the arguments. However, with Max Schrems likely preparing Schrems III in the wings, and a view among sceptics that the DPF is merely a rebadged Privacy Shield and vulnerable to the same ultimate fate when the CJEU next gets the chance to examine it, there will likely be an application by some party (most likely via a challenge to a member state data protection authority) to the CJEU before the end of President Trump’s second term. Such a case would almost certainly extend beyond the limited scope of Latombe. Because Latombe concerned an action for annulment, the General Court’s review was confined to the legality of the European Commission’s adequacy decision at the time of its adoption. The court could not examine subsequent developments, such as the practical implementation of Executive Order 14086 or the operation of the newly established DPRC.

A future challenge could therefore take a broader view—scrutinizing how effectively the United States has operationalized the safeguards introduced by Executive Order 14086, and whether the redress system genuinely delivers independent and binding remedies. It may also reexamine the constraints on the PCLOB, whose recent instability raises doubts about sustained oversight of intelligence activities, and could revisit the issue of bulk data collection under a wider interpretation than that adopted in Latombe.

While the DPF has, for now, survived its first judicial test, its future before the CJEU remains uncertain. The framework rests on executive action rather than legislation, and its durability ultimately depends on the political and institutional stability of the U.S. redress and oversight mechanisms. Should the DPF be struck down—as Safe Harbor and the Privacy Shield were before it—the result would once again cast transatlantic data flows into legal uncertainty. Organizations would have to fall back on alternative transfer mechanisms such as standard contractual clauses or binding corporate rules, with the familiar risks of fragmentation, compliance cost, and regulatory inconsistency. The immediate effect would likely be a chilling of cross-border data transfers and renewed pressure on policymakers to negotiate yet another adequacy framework—one that might, finally, prove durable.

The General Court’s decision therefore provides the DPF with a temporary reprieve—but not a guarantee of survival.