The GDPR imposes stricter requirements on the transfer of personal data to third countries outside the EU. However, such transfers are often less problematic if they are based on an adequacy decision issued by the European Commission, provided that any additional requirements stipulated in the corresponding adequacy decision are also met.
Companies (in Germany) often use adequacy decisions issued by the European Commission as a basis for the transfer of personal data to the USA. These decisions mostly concern agreements between the EU and the USA. Following the ECJ rulings Schrems I and II, which overturned the “Safe Harbor” and “Privacy Shield” agreements, the EU made improvements in 2023 and developed the “Data Privacy Framework” (Decision (EU) 2023/1795) with the USA. The Data Privacy Framework created a new legal basis for transatlantic data transfers and implemented additional protection mechanisms in the USA, such as the Data Protection Review Court.
A challenge to the validity of the European Commission’s adequacy decision on the Data Privacy Framework was lodged with the General Court of the European Union (GC) by a French applicant (Case T-553/23). The applicant petitioned the GC to declare the Data Privacy Framework null and void, citing, in particular, the following reasons:
– US intelligence services are still able to collect personal data “in bulk” without sufficient oversight.
– The newly created Data Protection Review Court (DPRC) is not an independent tribunal.
The GC dismissed the action in its ruling of 3 September 2025. Specifically, the court argued that the independence of the DPRC is secured by sufficient institutional guarantees, and that subsequent judicial review of data collection (e.g. by the intelligence services) is compatible with the material requirements of the ECJ’s Schrems II ruling.
The GC ruling sends an important message to companies that data can continue to be transferred to the USA on the basis of the Data Privacy Framework. However, it remains to be seen whether this is the final word on the matter, as the decision can still be appealed to the ECJ. Companies should therefore keep a close eye on further legal developments.
