A Luxembourg ruling has saved US-EU data transfers, even if the reprieve may prove temporary.
The European Union’s General Court, the bloc’s second-highest court, upheld the US-EU Data Privacy Framework, dismissing a French challenge that sought to annul the 2023 agreement allowing personal data to move freely across the Atlantic.
The ruling affects daily life and business operations: sending emails, booking hotels, or storing photos in the cloud. American and European companies depend on transferring personal information — names, emails, credit card numbers, browsing histories — from Europe to servers in the US. More than 2,800 US companies, from Silicon Valley giants to small service providers, have signed up to the framework. Without it, they could no longer process Europeans’ data, creating digital chaos and disrupting business worth hundreds of billions of euros annually.
The dispute reflects a fundamental transatlantic split over privacy protections. Europe’s General Data Protection Regulation (GDPR) limits government access to personal data and requires that any non-EU country receiving such data provide equivalent safeguards. Many partners, including Japan and the UK, have adopted similar standards. The US, however, lacks national privacy legislation, making data transfers a recurring flashpoint.
Twice before, the European Court of Justice struck down earlier agreements. In 2015, the Safe Harbour framework was invalidated (Schrems I). In 2020, the Privacy Shield met the same fate (Schrems II). Both times, US surveillance laws were judged to give intelligence agencies excessive access to European data.
To prevent another breakdown, Washington and Brussels created the Data Privacy Framework, declared “adequate” by the European Commission in July 2023. It introduced limits on intelligence collection and established the Data Protection Review Court, where Europeans can challenge US surveillance of their data.
French MEP Philippe Latombe contested the framework, arguing that the Review Court lacked independence because it sits within the US Department of Justice, and that bulk surveillance remained unchecked. The General Court disagreed, finding that safeguards exist to prevent executive interference and that bulk data collection is subject to later judicial review.
For businesses, the alternative would have been disruptive. Without the framework, firms would have been forced to rely on standard contractual clauses — complex, costly, and prone to further litigation. Stability in data transfers is critical for cloud services, social networks, and artificial intelligence, all of which rely on large-scale data flows.
The legal battle is not over. Latombe can appeal to the Court of Justice, which previously dismantled Safe Harbour and Privacy Shield. Privacy advocates warn that US commitments rest on executive orders, not laws, and could be reversed. Since Donald Trump’s return to the White House, he has removed three Democratic members of the Privacy and Civil Liberties Oversight Board, leaving it without a quorum. Austrian activist Max Schrems, whose lawsuits brought down the earlier frameworks, argues that such moves show the US no longer provides protections equivalent to Europe’s. His NGO, None of Your Business, predicts the current framework may not withstand scrutiny.
The European Commission plans to review the deal again in 2027. For now, the transatlantic data bridge remains in place. The ruling buys Brussels and Washington time, but history suggests caution: each new legal challenge could plunge the system back into uncertainty.