What the EU General Court’s September 2025 Ruling Means for International Data Transfers: The EU–US Data Privacy Framework Survives, But for How Long?

What the EU General Court’s September 2025 Ruling Means for International Data Transfers: The EU–US Data Privacy Framework Survives, But for How Long?

On September 3, 2025, the General Court of the European Union delivered a pivotal decision by dismissing a legal challenge against the EU–US Data Privacy Framework (DPF). This ruling allows companies to continue transferring personal data to the US under the current system. However, the decision is not the end of the road, as it can still be appealed, and privacy advocates are already signaling further legal scrutiny.

Summary of the Court’s Decision

The EU–US Data Privacy Framework was designed to facilitate transatlantic data transfers while ensuring that personal data is adequately protected. The legal challenge questioned whether US law provides “substantially equivalent protection” to EU standards. The General Court found that US law does indeed offer such protection, emphasizing a preference for targeted over bulk data collection. This decision underscores the court’s confidence in the existing framework, at least for now.

Implications for Businesses

For organizations relying on the DPF for transatlantic data transfers, this ruling provides temporary relief. However, businesses are advised to maintain backup transfer mechanisms due to the likelihood of further legal challenges. Companies should remain vigilant and prepared for any changes that might arise from future legal proceedings.

Ongoing Uncertainty

Despite the court’s decision, the situation remains fluid. Privacy groups, such as NOYB, are already preparing new challenges, and the possibility of an appeal to the Court of Justice looms large. This ongoing uncertainty means that businesses must stay informed and adaptable to any developments.

Practical Steps for Compliance Teams

Compliance teams should take proactive steps to navigate this uncertain landscape:

  • Monitor Legal Developments: Stay updated on any legal changes or new challenges to the DPF.
  • Review Data Transfer Mechanisms: Regularly assess and update data transfer strategies to ensure compliance.
  • Prepare for Potential Changes: Develop contingency plans to quickly adapt to any shifts in the legal framework.

By taking these steps, organizations can better position themselves to handle the evolving landscape of international data transfers.