To avoid compromising the level of data protection conferred within the European Union, the GDPR lays down the rules applicable to international transfers of personal data. In accordance with those rules, if the European Commission considers that a third country ensures an adequate level of protection, transfers of personal data to that country may take place without further authorisation, on the basis of the adequacy decision adopted by the Commission. Such frameworks, established by the adequacy decision adopted by the EU Commission, existed between the EU and the United States of America. However, in the judgments in “Schrems I” (Judgement of 6 October 2015, C-362/14; see the press release) and “Schrems II” (Judgement of 16 July 2020, C-311/18; see also the press release), the European Court of Justice declared the two adequacy decisions concerning the United States to be invalid, on the ground that they did not ensure a level of protection of fundamental rights and freedoms that is essentially equivalent to that guaranteed by EU law.

On 7 October 2022, the United States adopted an Executive Order that strengthened the privacy safeguards governing activities carried out by intelligence agencies established in the United States. That order was supplemented by an Attorney General Regulation that amended the provisions governing the establishment and functioning of the Data Protection Review Court ( “DPRC”). Following an examination of those regulatory developments in the United States, the EU Commission adopted on 10 July 2023 a new adequacy decision, which put in place the new transatlantic framework for personal data flows between the European Union and the United States.

In light of this context, Philippe Latombe, a French citizen and user of various IT platforms that collect his personal data and transfer them to the United States, asked the European General Court to annul the EU Commission’s decision of 10 July 2023. The Plaintiff claimed that the DPRC is neither impartial nor independent, but dependent on the executive. Moreover, he submits that the practice of the US intelligence agencies of collecting in bulk personal data in transit from the European Union, without the prior authorisation of a court or an independent administrative authority, has not be circumscribed in a sufficiently clear and precise manner and, therefore, would be illegal.

In its Judgement dated 3 September 2025, the European General Court dismisses the action for annulment (T-553/23, see the press release). The General Court pointed out that, in the first place, it would be apparent from the files that the appointment of judges to the DPRC and the DPRC’s functioning are accompanied by several safeguards and conditions that would ensure the independence of its members. Moreover, judges of the DPRC may be dismissed only by the Attorney General and only for cause, and the Attorney General and intelligence agencies may not hinder or improperly influence their work. The European General Court also observed that, under the contested decision, the EU Commission is required to monitor continuously the application of the legal framework on which that decision is based. Thus, if the legal framework in force in the United States at the time of the adoption of the contested decision changes, the EU Commission may decide, if necessary, to suspend, amend or repeal the contested decision or to limit its scope. Considering this, the European General Court rejected the plea alleging that the DPRC is not independent.

In the second place, the bulk collection of personal data, the European General Court pointed out, in particular, that there is no indication in the Judgement “Schrems II” to suggest that that collection must necessarily be subject to prior authorisation issued by an independent authority. Rather, according to the European General Court, it is clear from that judgment that the decision authorising such collection must, at a minimum, be subject to ex post judicial review. In the present case, it would apparent from the file that, under US law, signals intelligence activities carried out by US intelligence agencies are subject to ex post judicial oversight by the DPRC. Therefore, the General Court concluded that it cannot be considered that the bulk collection of personal data by US intelligence agencies falls short of the requirements arising from “Schrems II” in that regard or that US law fails to ensure a level of legal protection that is essentially equivalent to that guaranteed by EU law. In the light of those considerations, the European General Court rejects the plea concerning the bulk collection of personal data and, therefore, dismisses the action in its entirety.

It should be noted that an appeal, limited to points of law only, may be brought before the European Court of Justice against the decision of the European General Court within two months and ten days of notification of the decision. The judgement is therefore not legally binding.