The EU-US Data Privacy Framework: What the Court Win Didn't Fix

The EU–US Data Privacy Framework was supposed to end the Schrems cycle.

Safe Harbor collapsed in 2015, in Maximillian Schrems v. Data Protection Commissioner (C-362/14), when the Court of Justice of the European Union held that U.S. surveillance law gave EU data subjects no effective redress. Privacy Shield collapsed in 2020, in Data Protection Commissioner v. Facebook Ireland Ltd. (C-311/18), when the CJEU held that the Privacy Shield Ombudsperson mechanism did not satisfy EU law's independence requirements. Both fell on the same essential ground: U.S. intelligence surveillance programs, combined with inadequate individual remedy, were incompatible with the EU Charter of Fundamental Rights.

The DPF — adopted July 10, 2023, as an adequacy decision under GDPR Article 45 — tried to solve the structural problem rather than paper over it. Executive Order 14086, signed October 7, 2022, created the Data Protection Review Court, a new quasi-judicial redress body with fixed terms, removal protections, and the ability to obtain classified evidence. The Commission's adequacy decision rested heavily on the DPRC as the mechanism that satisfied the CJEU's "essentially equivalent protection" standard.

In September 2025, the European General Court dismissed the first judicial challenge to the DPF. French MP Philippe Latombe alleged the framework failed to guarantee essentially equivalent protection, particularly regarding bulk data collection by U.S. intelligence agencies. The court disagreed — confirming the DPRC as sufficiently independent and the framework as adequate.

That was good news. It is not a resolution.

What the General Court Left Open

The General Court is not the final word on EU law. The CJEU is. Latombe filed his appeal with the Court of Justice of the European Union in October 2025. The appeal is pending.

This matters because both prior frameworks fell at the CJEU, not at lower courts. The substantive question the CJEU will eventually examine — whether Section 702 of the Foreign Intelligence Surveillance Act, Executive Order 12333, and the actual implementation of the redress mechanism produce protection "essentially equivalent" to EU law — has not changed as much as the DPF's drafters hoped. The DPRC is a genuine improvement over the Privacy Shield Ombudsperson. Whether it is a sufficient improvement to survive CJEU review is a question that remains open.

In the interim, the framework is legally valid and can be used as a transfer mechanism. But the legal baseline for organizations relying exclusively on DPF certification is that the mechanism could be invalidated by a court that has twice before invalidated its predecessors.

The PCLOB Problem No One Has Solved

In January 2025, three of five members of the Privacy and Civil Liberties Oversight Board were removed by executive action. PCLOB is the independent oversight body responsible for conducting the annual review of EO 14086's implementation — verifying that U.S. intelligence agencies are actually following the procedural safeguards the DPF claims to provide.

Without a quorum, PCLOB cannot produce that report. Its expected annual review is on indefinite hold.

The Commission's own first review of the DPF, conducted in 2024, explicitly flagged PCLOB's continued functionality as a necessary condition for the framework's ongoing validity. A PCLOB that cannot conduct oversight is not a functioning safeguard — and the Commission's adequacy decision rested partly on PCLOB's oversight role as a check on EO 14086's implementation.

The deeper structural problem is that EO 14086 is an executive order, not a statute. It can be revoked by presidential action without Congressional approval and without any legislative process. The legal infrastructure of the DPF is more vulnerable to unilateral executive action than a statute-based framework would be. Privacy Shield was implemented by executive action and destroyed by judicial review of whether U.S. executive practice matched the commitments made. The DPF is in the same position.

A framework that depends on: (a) an executive order that can be revoked by a successor administration; (b) an oversight board that currently lacks a quorum; and (c) an adequacy decision that has survived one court challenge with a second pending — is not a foundation you should build on alone.

What Organizations Should Actually Be Doing

The guidance that most experienced data protection counsel has been giving since Schrems II is the same guidance that applies now: operate under the DPF where certified, but maintain Standard Contractual Clauses as a parallel transfer mechanism with every U.S. processor that handles EU personal data.

SCCs adopted under the European Commission's June 2021 Standard Contractual Clauses Decision are a transfer mechanism independent of the DPF. If the DPF is invalidated — overnight, without warning, as Privacy Shield was — organizations with SCCs in place have a legal basis that doesn't evaporate. Organizations relying solely on DPF certification face a gap period that could last weeks or months while they rush to execute SCCs with every U.S. vendor.

SCCs require real work. Under the Schrems II decision and the EDPB's Recommendations 01/2020 on supplementary measures, each transfer covered by SCCs requires a Transfer Impact Assessment — a documented evaluation of whether, in the specific circumstances of the transfer, the receiving jurisdiction provides adequate protection or whether supplementary measures (encryption, pseudonymization, access controls) reduce the risk to an acceptable level. The TIA is not a checkbox. The EDPB has been explicit that a boilerplate TIA conclusion without substantive country and transfer analysis does not satisfy the obligation.

Maintaining SCCs with documented TIAs also produces a paper trail that functions as compliance insurance. The record shows the organization understood the risks, evaluated them, and made deliberate decisions. When a regulator asks — after an invalidation event — how long the organization had been relying on a mechanism that was later struck down, the answer you want to give is: "We were maintaining SCCs in parallel and here is the assessment file."

The EU AI Act Layer

Separate from the DPF uncertainty, organizations building AI systems that process EU personal data are now navigating a second regulatory layer: the EU AI Act (Regulation (EU) 2024/1689), which entered its most significant obligations phase in 2025.

For high-risk AI systems — those used in employment, credit assessment, educational access, law enforcement, migration, and related contexts — the AI Act imposes documentation, conformity assessment, and data governance requirements that sit alongside, not instead of, GDPR obligations. The two frameworks run in parallel.

The European Data Protection Board clarified in 2025 guidance that GDPR applies to AI model training regardless of where the model is trained or operated. A U.S.-based company training a model on EU personal data in a U.S. data center is executing a cross-border transfer of personal data under GDPR — that transfer requires a lawful mechanism and a TIA, the same as any other transfer. The AI Act's training data requirements add documentation obligations on top of this, but do not replace or reduce the GDPR transfer analysis.

The European Commission's Digital Omnibus Regulation Proposal, issued November 2025, includes some GDPR simplification proposals — but those are legislative proposals, not yet in force, and the final shape of any simplification remains uncertain. Organizations that relax compliance posture in anticipation of regulatory simplification that has not yet been enacted are getting ahead of themselves.

The Practical Posture for In-House Counsel

Three things are worth maintaining regardless of how the CJEU resolves the DPF challenge.

First, dual-mechanism coverage: operate under DPF certification where the organization is certified, execute SCCs with all U.S. processors, and ensure each SCC relationship is backed by a documented TIA. The TIA is where the legal work actually lives.

Second, document the annual review. GDPR requires that transfer mechanisms be kept under review. In the current environment — PCLOB disrupted, CJEU review of DPF pending, EO 14086 vulnerable to unilateral change — the annual review that documents the legal landscape and the organization's deliberate response to it is not hygiene. It is the artifact that distinguishes organizations that acted reasonably from those that didn't.

Third, run the AI Act obligations on a separate track from the GDPR transfer analysis. High-risk system documentation, conformity assessment, and data governance requirements under the AI Act are distinct from transfer mechanism selection under GDPR. Both tracks need to be active, and progress on one does not satisfy the other.

For in-house counsel managing EU data flows, the General Court's September 2025 ruling is a genuine positive development. Treat it as buying time, not as closing the question. The CJEU has the final word. The oversight infrastructure that the DPF depends on is currently impaired. Building a compliance program on the assumption that nothing will change is a version of the same mistake organizations made between Schrems I and Schrems II.

The cycle has not ended. It has paused.