The European court has finally said "yes" to transfers of personal data from the EU to the US. What does this historic case mean for companies using personal data, and can it hold under the new US administration?
For data protection professionals, the morning of 3 September 2025 had an unpleasantly familiar feel waiting for news from the European court on whether it would stop frictionless personal data transfers to the US from Europe.
Five years ago, such a “cliff-edge” ruling from the court caused chaos as data protection teams patched together compliance schemes to keep the wheels of international digital commerce on track. Five years before that, it was the same story when the court suddenly declared that the frameworks for US transfer were not sufficient to protect personal data from potential government interference.
This time around, weekends are back on. Concerted efforts by the Biden administration to increase trust in how the US handles personal data – which had been badly damaged in the 2010s by the Snowden revelations about bulk interception – have led to the European court putting its stamp of approval on the current scheme, called the Data Privacy Framework (DPF).
The case, Latombe v Commission, offers fascinating insight into the current state of EU/US relations; and a warning shot about where the future may be heading in this ever-evolving game of digital diplomacy.
Here are our key takeaways from the case, and advice for those trying to manage US transfers of personal data subject to the General Data Protection Regulation, the GDPR.
Why are transfers difficult?
In essence, this case is about whether or not standards of data protection in the US are the same as in Europe. Everyone knows that the US has nothing like the GDPR: the US, as with other regulatory areas, historically relies on “after the event” punishment, in the form of class actions, rather than on pre-emptive regulation.
But laws are not the only mechanism to protect personal data. There are three other pillars of protection: contractual terms, industry standards, and individual rights of redress. Each plays a different role and protects different parties in the chain.
What did the court say?
What did the court say about each of these pillars, and how did it come to its conclusion?
First, it said that the lack of equivalent US law doesn’t really matter, given the effect of the other pillars.
The court pointed to contractual protections, since importers are mostly subject to the GDPR anyway, under its wide extra-territoriality rules. For the (small) group not caught by the GDPR, the court invoked various US sectoral laws such as the Fair Credit Reporting Act, which have rules about data security and automated decisions.
It also considered the DPF itself. The framework imposes contractual requirements on onward transfers. And on the question of industry standards, again the DPF came to the rescue, since DPF participants must commit to compliance with data protection standards. The court dismissed differences between these and provisions in Article 32 of the GDPR as mere quibbling.
The court echoed UK pragmatism. Upcoming changes to the UK GDPR allow the government and exporters to rely on a more holistic “data protection test” to assess essential equivalence of protection in receiving countries such as the US, rather than a strict one-to-one match.
The redress question
The most serious challenge was on the question of individual redress. Here, the court noted the serious efforts made by the previous US administration under Executive Order 14086 to set up a Data Protection Review Court, and oversight from the PCLOB and other bodies.
Crucially, the court judged the position in 2023 when the Commission made its adequacy decision underpinning the DPF. It considered that as originally set up, the mechanisms for individual redress were sufficient.
It also refused to criticise the US for not requiring prior authorisation for bulk intercept, relying on after the event review. This is in line with many jurisdictions, with the UK a notable exception.
Will it stand?
The ruling is “third time lucky” for the Commission and for data exporters and reflects much hard work in trying to address the concerns of data subjects in Europe. But given where we are with digital regulation, and the change of US administration, it will almost certainly be challenged again.
First, this is the decision of a lower court. It has left the door open to appeal to the ECJ, which will have wide discretion to take another look.
Second, it’s fair to say that things have changed in the US since 2023. The court repeatedly noted that its assessment of the sufficiency of redress measures and US judicial independence were highly context dependent. If a higher court allows itself to consider the position now, the outcome could be very different.
Third, the court made quite a play of the Commission’s duty to review the adequacy decision on an ongoing basis and if necessary to withdraw it. Executive actions in the US which destabilise the redress framework, concerns over unlawful US government access to personal information, and increasing worry about judicial independence (with a dissenting judge saying recently that the US Supreme Court appeared to have “lost its moorings”) will mean that calls for a review will be loud.
The cost of victory
Even if not overturned, this may be a short-term victory at longer term cost, in decreased trust and calls for data localisation in Europe, already proposed in the new EU Cloud and AI Development Act. The decision, alongside general sovereignty concerns prompted by trade friction and AI development, will make EU localisation more likely. This would be a retreat from the principles of the free movement of personal data founded in Article 1 of the GDPR, and cause more logistical headaches for companies trying to leverage US tech capability.
Practice points:
- the ruling gives a court stamp of approval to the DPF and makes US transfers based on it more certain for the moment
- it also reduces pressure on US transfer risk assessments for exporters using appropriate safeguards (e.g. SCCs)
- from a strict legal point of view, adequacy decisions only make exports lawful, which would otherwise be prohibited by Art. 44. They do not constitute a GDPR-compliant protective framework. Controllers should still consider current risks such as mass data disclosures to US government departments
- however, in practice, EU regulators have not punished controllers relying on adequacy decisions where these are in effect
- for longer term flows, more stable arrangements such as SCCs, or BCRs for intra-group transfers, are safer and will promote trust and confidence in an uncertain world.
Disclaimer
This information is for general information purposes only and does not constitute legal advice. It is recommended that specific professional advice is sought before acting on any of the information given. Please contact us for specific advice on your circumstances. © Shoosmiths LLP 2025.