On 3 September 2025, the General Court of the European Union dismissed an action brought by a French member of the EU Parliament, Philippe Latombe, seeking to annul the European Commission’s adequacy ruling underpinning the EU-US Data Privacy Framework (DPF). This ruling confirms that, as of July 2023, the United States provides an 'adequate level of protection' for personal data transferred from the EU, in line with Article 45 of the GDPR. The decision follows previous invalidations of the earlier data transfer frameworks Safe Harbor (2015) and Privacy Shield (2020). Post-Brexit, the decision is still relevant for UK organisations as data transfers from the UK to the US are reliant on the EU-US DPF for their adequacy under the UK's 'data bridge'. 

The court's findings were that the safeguards introduced by the DPF met the ‘essentially equivalent’ standard required by EU law for data transfers to be adequate, and that the US court set up to review any concerns regarding EU transfers remained independent and impartial.

Implications for UK organisations

Although the UK is no longer an EU member, the ruling still has significant indirect impacts:

Stability for UK-US data transfers - The UK has its own adequacy decision for the US under the UK Extension to the DPF. The EU ruling reinforces confidence in this mechanism, reducing the risk of legal challenges that could disrupt UK-US data flows.

Reduced compliance burden - UK organisations relying on the DPF can continue transfers without implementing alternative safeguards like Standard Contractual Clauses (SCCs), avoiding additional costs and operational complexity.

Regulatory alignment -The decision underscores the importance of the UK maintaining alignment with EU adequacy standards. Divergence could jeopardise the UK’s own adequacy status with the EU, which remains critical for UK businesses handling EU personal data.

Ongoing risk management - While the ruling provides certainty, it does not eliminate risk. The judgment can be appealed, and future political or legal changes in the US could trigger a reassessment. UK organisations should maintain contingency plans for alternative transfer mechanisms.

Practical steps for UK organisations

• Audit data transfers: Confirm reliance on the UK-US DPF extension and document compliance (usually through maintaining a Record of Processing Activity).
• Update contracts: Ensure contracts reference the correct transfer mechanism and include fallback clauses. Organisations should also ensure supply chains are compliant with the DPF or otherwise have appropriate clauses in place to protect UK personal data.
• Monitor developments: Track any appeals or changes in US laws and UK adequacy decisions.

For further advice around this complex area, please contact me.