General Court of the European Union confirms EU-US Data Privacy Framework

On September 3, 2025, the General Court of the European Union (EC) dismissed an action for annulment against the European Commission's adequacy decision on the EU-US Data Privacy Framework in case T-553/23. French MP Philippe Latombe had doubts about the independence of the newly created Data Protection Review Court (DPRC) and criticism of the US intelligence services' practices in collecting personal data.

In an action to annul a Commission adequacy decision on the protection of personal data, the court must assess whether the law of the third country is capable of ensuring a level of protection essentially equivalent to that guaranteed by the Charter of Fundamental Rights of the European Union. This includes assessing the effectiveness of the legal remedies available to data subjects.

Decision of the General Court of the European Union

The Court finds that the Data Protection Review Court (DPRC), created by Executive Order 14086 of the United States, is an independent and impartial tribunal within the meaning of Article 47(2) of the Charter. The independence of the DPRC is ensured by several factors:

• The judges are appointed by the Attorney General after meeting the same criteria as federal judges and having relevant legal experience.
• They are not employees of the executive branch at the time of their appointment or in the two years prior.
• The decisions of the DPRC are final and binding on all intelligence agencies and the U.S. government.

Relationship with the Executive Branch: The independence of the DPRC is not compromised by the fact that it reviews decisions by a body, the Civil Liberties Protection Officer (CLPO), which reports to the Director of National Intelligence. The DPRC has the power to independently review and, if necessary, overturn the CLPO's decisions.

An appeal to the Court of Justice of the European Union (CJEU) limited to legal issues is possible against the court's decision.