European Union: General Court of European Union dismissed challenge to European Union-United States data protection framework adequacy decision

On 3 September 2025, the General Court of the European Union dismissed Philippe Latombe's challenge to the European Union (EU) United States (US) Data Protection Framework adequacy decision adopted by the Commission on 10 July 2023. The decision followed the US's adoption of Executive Order 14086 in October 2022, which strengthened privacy safeguards for intelligence activities after previous EU-US data transfer frameworks were invalidated. The Court found that the Data Protection Review Court (DPRC) provides adequate independence through specific appointment criteria, limited dismissal grounds, and a prohibition on executive interference with its work. Regarding bulk data collection, the Court ruled that prior judicial authorisation is not required, finding that ex post judicial review by the DPRC satisfies EU standards. The judgment establishes that US intelligence agencies must prioritise targeted over bulk collection, with bulk collection limited to six specific national security purposes and subject to proportionality requirements. The Court rejected arguments that the framework inadequately protects against automated decision-making and fails to ensure data security.