The texts of Member of the French Parliament Philippe Latombe’s pleadings in his legal appeal concerning the EU-U.S. Data Privacy Framework (DPF) were formally published in the Official Journal of the European Union, marking a significant procedural milestone in the ongoing challenge to the transatlantic adequacy decision. In doing so, Latombe has taken his case to the Court of Justice of the European Union (CJEU), seeking to overturn a previous judgment of the General Court of the European Union that dismissed his annulment action against the DPF. This development ensures the substance of his arguments will now be considered at the apex judicial level in the EU.
The Data Privacy Framework and Its Legal Backdrop
The EU-U.S. Data Privacy Framework is the latest in a series of EU-U.S. mechanisms designed to permit the transfer of personal data from the European Union to the United States based on a determination of an “adequate level of protection” under Article 45 of the General Data Protection Regulation (GDPR). It was adopted by the European Commission on 10 July 2023, following extensive negotiations that sought to address the failures of earlier arrangements.
Previous frameworks—the Safe Harbor Principles and later the EU-US Privacy Shield—were struck down by the CJEU in the Schrems I (2015) and Schrems II (2020) judgments, respectively, because U.S. surveillance law and practice were found to allow access to EU personal data without sufficient safeguards or effective remedies for data subjects.
In response, the 2023 framework introduced a set of enhanced commitments by the United States, supported by an Executive Order, coupled with a new mechanism for redress through the Data Protection Review Court (DPRC). The DPRC is designed to provide a path for EU individuals to seek binding review of certain data access decisions by U.S. intelligence authorities.
General Court Dismissal and Latombe’s Appeal
Mr. Latombe originally brought his annulment action before the General Court of the European Union on 6 September 2023, arguing that the DPF fails to offer the “essentially equivalent” level of protection required by EU law compared to the protection guaranteed within the EU under the GDPR and the Charter of Fundamental Rights of the European Union.
In September 2025, the General Court dismissed Latombe’s action on the merits even after reaching substantive consideration of his arguments. The court concluded that the DPF, as assessed at the time of the Commission’s adequacy decision, did meet the requisite threshold of protection—including safeguards for redress through the DPRC as established under U.S. law and the accompanying Executive Order.
Latombe’s pleadings, now published in the Official Journal, seek to reverse that dismissal at the CJEU. His appeal challenges several core elements of the framework’s legal foundation and implementation, grounding the appeal in detailed procedural and substantive pleas.
Core Pleas in Latombe’s Appeal
Latombe’s appeal identifies a set of interconnected pleas that argue the General Court erred in upholding the Commission’s adequacy decision. These pleas reflect longstanding concerns about surveillance, judicial redress, and the structural protections afforded to EU data subjects once their data is transferred to the United States. The published grounds emphasize the following:
- Judicial Independence and Effective Redress: The appeal challenges the adequacy of the DPRC, asserting that its appointment and removal procedures for judges do not ensure sufficient independence from the executive branch of the U.S. government—a key element in assessing whether the redress mechanism meets the requirements of Article 47 of the EU Charter.
- Surveillance and Bulk Data Collection: Latombe contends the framework does not meaningfully prevent bulk collection of personal data by U.S. intelligence services, raising concerns that this practice remains inconsistent with the protections enshrined in EU law.
- Insufficient Protections for Automated Decision-Making: The appeal argues U.S. law lacks safeguards comparable to the EU’s standards for automated decision-making, potentially exposing EU citizens to processing that would be lawful in the U.S. but prohibited or limited under EU data protection principles.
- Data Security and GDPR Equivalence: Latombe asserts that the regime governing data security post-transfer does not afford the same legal protection as the GDPR’s Article 32 requirements.
Legal and Policy Significance of the Appeal
The publication of Latombe’s pleadings in the Official Journal is significant because it inaugurates the formal phase of judicial review before the CJEU, the ultimate arbiter of EU law interpretation. The CJEU’s review will focus on points of law rather than re-examining factual findings, but its judgment could reshape how adequacy decisions are evaluated, especially in relation to third-country legal frameworks involving national security and executive branch authority.
Given the historical record—where earlier frameworks were invalidated due to insufficient protections—this appeal echoes broader European concerns about the resilience of transatlantic data transfer agreements. Latombe’s case also illustrates the persistent tension between facilitating cross-border data flows for economic and operational reasons and protecting fundamental privacy rights.
Implications for Businesses and Data Transfers
Until the CJEU issues its judgment, the DPF remains in force, and businesses may continue to rely on it as a legal basis for transfers of personal data from the EU to certified U.S. organizations. This ongoing legal uncertainty places a premium on implementing robust alternative safeguards such as Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) where appropriate.
Companies that depend on EU-U.S. data flows should carefully monitor the progress of this appeal, as a ruling from the CJEU could affirm the Commission’s approach or substantially alter the requirements for adequacy decisions and third-country safeguards. Such a judgment will resonate beyond EU-U.S. transfers, potentially affecting multiple international data transfer frameworks and adequacy arrangements globally.
Why This Matters for Global Privacy Standards
The legal fate of the DPF has consequences that extend well beyond the EU-U.S. commercial sphere. A decision by the CJEU to uphold or overturn the General Court’s judgment will signal how EU privacy law confronts data protection in contexts where national security and executive authority intersect. The outcome could influence legislative reforms in both the EU and U.S. and inform debates around emerging global data governance approaches that seek to reconcile human rights with cross-border digital economies.
- The Official Journal publication makes Latombe’s appeal formally part of the CJEU record.
- His pleadings challenge the adequacy of judicial redress, surveillance safeguards, automated decision protections, and data security equivalence under the DPF.
- The DPF, while continuing to operate, remains legally vulnerable until the CJEU issues a binding judgment.
- Businesses should consider fallback transfer mechanisms in anticipation of potential legal shifts.
- The case reflects broader tensions between privacy protection and international data flows in a complex geopolitical environment.
