Executive Summary
- What is new: On September 3, 2025, the European General Court (Europe’s second-highest court) confirmed the validity of the European Commission’s 2023 adequacy decision for the US.
- Why it matters: Many companies rely on this adequacy decision to enable transfers of personal data from the EU to the US. Two previous US adequacy decisions had been annulled by EU courts, leaving businesses unsure whether the 2023 adequacy decision would meet the same fate. The General Court’s approval of the 2023 adequacy decision will give businesses comfort that they can rely on the 2023 decision — for now.
- What to do next: Although the General Court decision provides some breathing room for companies, further litigation is likely — including an appeal by Mr Latombe to the European Court of Justice. Companies should therefore consider updating existing data-transfer documentation and expanding their use of the 2023 adequacy decision, but should stay vigilant as Latombe is unlikely to be the last challenge to the 2023 adequacy decision.
__________
Background to the Case
Under the EU General Data Protection Regulation (GDPR), the European Commission can issue “adequacy” decisions allowing data to be transferred from the EU to a non-EEA country without additional security measures such as standard contractual terms or binding corporate rules. Many companies rely on these decisions to enable international transfers of data both between their global entities and with third parties.
The European Commission has on three occasions issued decisions stating that the United States provides an adequate level of protection for personal data — most recently in 2023 (the 2023 Decision). The first two of these decisions were annulled by the European Court of Justice. In Latombe v Commission (Case T-553/23) , Mr Latombe sought to have the 2023 Decision annulled, too.
Mr Latombe argued, among other things, that the US executive orders forming the basis for the 2023 Decision provided insufficient independent judicial oversight, enabled over-broad collection of data by surveillance authorities, and did not match EU standards on data security and automated decision-making.
The Decision
Many observers had expected the General Court to sidestep the substance of Mr Latombe’s claim by dismissing it on procedural grounds, but the General Court chose instead to rule on the substance of the 2023 Decision.
Adequacy Decision Approved, but Broader Context Looms
On the substance, the General Court dismissed each of Mr Latombe’s arguments, finding that among other things the US Data Protection Review Court (DPRC) provided sufficient (quasi) judicial oversight of US data collection, US law contained appropriate limitations on bulk surveillance, and US law contained substantially equivalent protections on data security and automated decision making.
In reaching these conclusions, the General Court placed a significant weight on the European Commission’s assessment of US law that accompanied the 2023 Decision, frequently citing the 2023 Decision as authoritative on US law. In previous international transfer decisions, the EU’s highest court (the European Court of Justice) has not been similarly deferential to the European Commission, and has instead undertaken its own analysis of US law — an exercise that we would expect it to undertake again on appeal and that could lead to it diverging from the General Court.
The General Court also emphasized that its assessment of the 2023 Decision was undertaken based on the facts that were in place when the 2023 Decision was made. This approach is likely to prove controversial among privacy activists, and in any appeal, given ongoing shifts in US policy since the 2023 Decision. For example, the General Court refers throughout the judgment to assurances given in relation to the independence and authority of the US Privacy and Civil Liberties Board, despite most members of that board having been terminated earlier in 2025. The General Court also refers frequently to the independence enabled by US “just cause” termination protection for US officials, although recent developments in the US may have brought the effectiveness of those protections into question. We would expect privacy activists and the European Court of Justice to push this issue more aggressively during any appeal.
Finally, the General Court took a pragmatic approach to assessing the US’s privacy protections, frequently reiterating that a Commission “adequacy” decision did not require that US privacy laws were exactly the same as the EU’s; it was enough that they were substantially equivalent.
What To Do Now
Companies that rely on the 2023 Decision will be relieved that the decision has survived its first judicial scrutiny. Companies that relied on other transfer mechanisms, such as the EU’s standard contractual clauses, will also benefit from the judgment, as it provides an EU judicial endorsement of US privacy standards; companies should incorporate that endorsement into their GDPR documentation (such as transfer impact assessments).
That said, Latombe is unlikely to be the final word from the EU courts on the 2023 Decision. An appeal to the European Court of Justice is possible, and privacy advocate group NOYB has already indicated that it is considering its options to launch further challenges. Companies should continue to map US data flows, ensure that suitable fallback arrangements (such as the EU standard contractual clauses) are in place in case the 2023 Decision is annulled in future, and remain vigilant to further developments from the EU courts, including any appeal by Mr Latombe.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.