Europe’s General Court has upheld the legality of the EU-US Data Privacy Framework (DPF), affirming it provides an adequate level of protection for personal data transferred between the EU and the US, after dismissing a legal challenge by French MP Philippe Latombe.

This decision follows the invalidation of previous agreements like Safe Harbor and Privacy Shield, which were struck down due to insufficient privacy protections, especially related to US mass surveillance revealed by Edward Snowden.

The court also concluded that the Schrems II judgment does not require prior authorization for bulk data collection, as the US system offers sufficient ex post judicial oversight.

The EU Commission had deemed the 2023 agreement 'adequate,' with a scheduled review in 2027, but ongoing legal and political uncertainties remain.

While the ruling stabilizes transatlantic data flows temporarily, privacy advocates like Max Schrems and NOYB remain cautious, criticizing the framework for similar flaws as previous agreements and planning further legal challenges.

Many businesses and industry groups, including the Business Software Alliance, welcomed the decision, emphasizing it brings stability for over 2,800 US companies relying on the framework for cross-border data transfer.

The ruling comes amid strained EU-U.S. relations, including EU actions against Big Tech and US threats of retaliation, raising concerns about potential impacts on trade and technological development.

Organizations are advised to review their data transfer mechanisms and include fallback options, as legal uncertainties and potential appeals remain, with the European Court of Justice potentially reviewing the decision.

Reactions vary: privacy groups plan further legal challenges, while U.S. officials and business lobbies see the ruling as a boost for economic ties and innovation.

Companies are required to self-certify annually under the framework and implement measures like data minimization, but enforcement challenges persist, especially with evolving US laws such as FISA.

Legal experts and privacy advocates, including Max Schrems, remain cautious, citing the narrow scope of the ruling and the possibility of future legal battles over the adequacy of US data protections.

Critics argue the framework still falls short in protecting EU citizens from US government surveillance, and privacy advocates plan to continue challenging it.