In September, European Union bodies were engaged in two legal acts that could strengthen the EU-US framework for the transfer of personal data to the United States.
The European Court of Justice ruled on the validity of the adequacy decision establishing the Data Privacy Framework, temporarily avoiding a “Schrems III” and a new data crisis.
The European Data Protection Supervisor, with Opinion 24/2025, provided its guiding recommendations for conducting negotiations between the EU and the United States in order to reach a framework agreement on the exchange of information for security checks and identity verifications related to border procedures and visa applications.
The “Latombe” ruling on the data privacy framework
The first intervention concerns the European Court of Justice, which, in its judgment of September 3, 2025, in case T-553/23 (Latombe v. European Commission), ruled on the annulment appeal filed by French citizen Philippe Latombe against the adequacy decision adopted by the European Commission on July 10, 2023, establishing the Data Privacy Framework (“DPF”). This decision recognized an adequate level of protection for personal data transferred from the Union to organizations established in the United States.
The judgment addressed two crucial issues: (i) the independence and impartiality of the Data Protection Review Court (“DPRC”) and (ii) the legality of bulk collection of personal data by U.S. intelligence agencies in the absence of prior authorization.
The Court examined the legitimacy of the DPRC, established by the U.S. government as an independent review body available to European citizens for monitoring the personal data collection activities of intelligence agencies. Departing from the appellant’s argument that the DPRC was overly tied to the executive branch, the Court concluded that the DPRC offers sufficient guarantees of independence and impartiality for those who resort to it. Specifically, DPRC judges can only be dismissed by the Attorney General, and only for valid reasons, while the Attorney General and intelligence agencies cannot unduly obstruct or influence their duties.
Regarding the practice of bulk collection of personal data in transit from the Union, the Court assessed its compatibility with Articles 7 and 8 of the Charter of Fundamental Rights of the EU. The Court rejected the appellant’s argument that such collection would be unlawful due to the lack of prior authorization by an independent authority, invoking the European Court of Justice’s judgment in the “Schrems II” case. The Court deemed subsequent judicial oversight sufficient. In this case, U.S. law subjects intelligence activities to post-hoc judicial review by the DPRC.
Ultimately, the Court concluded that the DPF ensures an “essentially equivalent” level of protection to that provided by the GDPR and the Charter of Fundamental Rights of the EU, at least at the time the contested decision was adopted.
However, it was reiterated that adequacy decisions are not immutable: the European Commission is required to continuously monitor the legal system under review and may suspend, amend, or revoke the decision if the conditions justifying its adoption change.
Nevertheless, the validity of the adequacy decision is not yet resolved: the appellant will have the opportunity to appeal the Court’s judgment to the Court of Justice of the European Union within two months and ten days from the notification date, limited to issues of law.
The EDPS Opinion on the EU-US framework for border controls
The second intervention comes from the European Data Protection Supervisor (“EDPS”), which, on September 17, 2025, published Opinion 24/2025 on the European Commission’s recommendation of July 23, 2025, regarding a Council decision to authorize the start of negotiations for a framework agreement between the European Union and the United States on the exchange of information for security checks and identity verifications related to border procedures and visa applications. The framework agreement would set common requirements and conditions to allow individual EU member state authorities to conclude bilateral agreements with the United States for the exchange of personal data.
The initiative is intended to meet the new U.S. requirement to conclude an Enhanced Border Security Partnership (“EBSP”) by December 31, 2026, for admission to and continued participation in the Visa Waiver Program. This program allows citizens from participating countries to travel to the United States for up to 90 days for tourism or business without a visa. The EBSP would be concluded with the U.S. Department of Homeland Security. As a result, the framework agreement would apply to EU member states that benefit from a visa-exemption arrangement with the United States or wish to join the U.S. Visa Waiver Program.
The EDPS recognizes that if concluded, the framework agreement would be a significant precedent, as it would be the first Union agreement to involve the large-scale sharing of personal data, including biometric data, for border and immigration control purposes with a third country. In this context, the EDPS supports the proposal to establish a “common EU-US framework” for such data exchange, aiming to establish uniform conditions and safeguards at the Union level, thus strengthening the protection of the rights and freedoms of the data subjects.
While welcoming the Commission’s proposal, the EDPS urges EU bodies to consider a series of specific recommendations to protect the personal data of individuals, including:
- compliance with the principle of proportionality;
- conducting a prior data protection impact assessment;
- concrete mechanisms to exclude systematic, generalized, and non-targeted processing of personal data from all travelers;
- ensuring transparency and providing information to both EU and U.S. authorities about the data sharing between the EU and the U.S. under the EBSP;
- guaranteeing oversight systems on the use of personal data by one or more independent U.S. bodies with effective investigative and intervention powers;
- ensuring administrative and judicial remedy mechanisms for the individuals concerned;
- providing a mechanism to suspend and terminate the framework agreement if the U.S. no longer effectively guarantees the required level of protection for the rights and freedoms of individuals, with automatic suspension of bilateral agreements concluded between EU member states and the U.S.
Concluding remarks
The EU-US framework agreement and the validation of the DPF, if confirmed by the Court of Justice, could become key components in strengthening the legal framework for transatlantic personal data transfers, providing greater legal certainty for data controllers and processors in transferring personal data to the United States, and preventing European businesses from facing another block on data transfers overseas.
