Stefano Gazzella : 5 September 2025 07:55
April 1st wasn’t an April Fool’s joke: the first hearing in the Latombe v. Commission case was adjourned to September 3rd for a ruling on the appeal filed for the annulment of the adequacy decision relating to the Data Privacy Framework.
An adequacy decision is the legal instrument provided for by Article 13 of the ECHR. 45 GDPR, through which the Commission recognizes that a third country or organization ensures an adequate level of protection, including in relation to a territorial or sectoral scope, thus allowing the international transfer of personal data without the need for further authorizations or conditions.
With a press release, the General Court of the European Union announced the outcome of the judgment, dismissing the appeal and recognizing that the regulatory framework in force in the United States guarantees a level of protection “essentially equivalent” to that guaranteed by European data protection legislation.
In short: at the moment, it has been A “Schrems III” effect has been avoided. But there is still the possibility of a second level of judgment.
The history of agreements between the United States and the European Union for the transfer of personal data is particularly troubled: first the Safe Harbor, then the Privacy Shield were annulled following the Schrems I and Schrems II rulings. This is why the new Data Privacy Framework agreement was adopted in 2023.
The crucial issues also addressed in Latombe’s appeal concern the effectiveness of judicial protection and the legitimacy of the collection and use of data by US intelligence agencies.
The ruling addresses the process of strengthening the fundamental guarantees implemented by the United States regarding the processing of personal data through the establishment and functioning of the Data Protection Review Court (DPRC), the court responsible for overseeing data protection. The independence of the DPRC, challenged in the appeal, was confirmed by noting that it was ensured by presidential executive orders. Regarding the issue of the mass collection of personal data by intelligence agencies, the Court held that the judicial protection offered by the DPRC is equivalent to that guaranteed by EU law.
The reaction from noyb, Max Schrems’s NGO of digital rights activists, challenges the Court’s decision and suggests that if the appeal is based on different arguments, or even if the ruling is challenged before the CJEU, the outcome will be very different. One of the critical points concerns independence, guaranteed by a presidential order and not by law, which, given the current context of the Trump administration, certainly cannot be considered a sufficient safeguard.
The fate of the Data Privacy Framework remains uncertain. This can also be deduced from one of the passages in the ruling, which recalls that the Commission must evaluate any changes in the regulatory context over time.
In short: there is no “always and forever,” but it is possible for the adequacy to be reviewed and suspended, modified, or revoked in whole or in part by the Commission itself. Or, alternatively, it can be annulled by an intervention by the CJEU.
If the Data Privacy Framework is no longer in force, it is still possible to invoke adequate safeguards or otherwise receive specific authorization from a supervisory authority, as provided for by Article 13 of the GDPR. 46 GDPR and as has happened previously.
All this is a sense of déjà vu. But more than a glitch in the Matrix, it expresses the inevitable interference of international politics in the stability of the law. This highlights and recurs the opposing claims of regulatory overreach by both the United States and the European Union.
Stefano Gazzella