On September 3, 2025, the General Court of the European Union dismissed the action for annulment brought against the adequacy decision establishing the Data Privacy Framework (DPF).
➡️ Result: the legal framework allowing data transfers to the United States is confirmed.
🔍 What exactly did the Court decide?
The Court held that:
- US law now provides sufficient safeguards, notably following reforms introduced by Executive Order 14086 governing intelligence agency access.
- The Data Protection Review Court constitutes an “independent and effective” redress mechanism, allowing individuals to challenge disproportionate access to their data.
- The European Commission could therefore legitimately conclude that the US ensures an adequate level of protection.
The Court’s reasoning rests on several key elements of the GDPR:
• the logic of “adequacy,” assessed in light of the overall level of protection;
• the consideration of available redress mechanisms;
• the evaluation of proportionality and necessity of US surveillance measures.
📌 Why does this ruling matter for companies?
Because it stabilizes at least temporarily the legal environment for actors transferring data to the United States.
In practice:
- Transfers to DPF-certified companies may resume without systematically relying on Standard Contractual Clauses.
- Supervisory authorities will continue scrutinizing the effectiveness of US safeguards, but the immediate risk of large-scale suspension of transatlantic data flows is reduced.
🧩 Yes, but… what happens when other countries assert extraterritorial access?
This is where the Court’s reasoning meets the limits of the global legal landscape.
Two recent developments question the practical scope of the DPF:
🇺🇸 The US Cloud Act
The Cloud Act allows US authorities to demand access to data even when stored in Europe, provided the company has sufficient jurisdictional ties with the United States.
This creates a paradox:
👉 while the EU validates a structured transfer framework, US law already enables unilateral access to data regardless of where it is physically located.
🇨🇦 The OVHcloud Case
In 2024, Canadian courts ordered OVHcloud to hand over data stored in Europe, relying solely on the company’s “commercial presence” in Canada.
This raises a crucial question:
➡️ Does the physical location of servers still guarantee data protection?
The case is ongoing, but it highlights a broader reality:
extraterritorial claims are multiplying far beyond the transatlantic context.
🎯 So, how should we interpret the Court’s ruling?
The General Court formally validates the Data Privacy Framework, but it also exposes a deeper challenge:
🧩 How can European data truly be protected when multiple states assert jurisdiction solely based on commercial activity?
The DPF is a tool.
One piece of a larger puzzle.
Not an absolute shield.
Source : https://eur-lex.europa.eu/legal-content/fr/TXT/?uri=CELEX:62023TJ0553
