- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
Axiom GRC acquires The DPO Centre
September 1, 2025
On 3 September 2025, the EU General Court upheld the European Commission’s adequacy decisionA decision adopted by the European Commission on the basis of Article 45 of the GDPR, which establishes that a third country (i.e. a country not bound by the GDPR) or international organisation ensures an adequate level of protection of personal data. Such a decision takes into account the country's domestic law, its supervisory authorities, and international commitments it has... for the EU-US Data Privacy FrameworkThe EU-US Data Privacy Framework (EU-US DPF) is a set of principles and safeguards for transferring personal data from the EU to certified US organisations. The programme took effect on 10 July 2023, replacing the invalidated Privacy Shield, and the EU Commission has since deemed transfers made from the EU to certified US organisations Adequate. (DPF) and rejected French MP Phillipe Latombe’s challenge.
Latombe argued that US surveillance practices and the DPF’s complaint mechanisms fall short of EU protection standards. These same arguments previously led to the invalidation of the Safe Harbour and Privacy ShieldUS Certification scheme, now replaced by Data Privacy Framework. frameworks.
What this means for your organisation
The ruling brings immediate relief for businesses that have invested in the EU-US DPF and provides renewed confidence for organisations planning transatlantic expansion. The framework remains a legally valid mechanism for transferring personal dataInformation which relates to an identified or identifiable natural person. from the EU to the United States.
Katrina Leach, Head of DP Operations at The DPO Centre, comments:
‘The Court’s decision to uphold the EU-US Data Privacy Framework provides welcome stability for transatlantic data flows, although it’s likely that privacy campaigners will continue to challenge, especially in light of political developments in the US. Prudent businesses should, therefore, continue to take a ‘belts and braces’ approach by supplementing it with Standard Contractual ClausesStandard Contractual Clauses are legal tools to provide adequate safeguards for data transfers from the EU or the European Economic Area to third countries..’
Looking ahead: Why vigilance remains essential
Despite the decision, the framework may still face further legal scrutiny, including possible appeals to the Court of Justice of the European UnionA Court interpreting EU law, ensuring it is applied in the same way in all EU countries, and settling legal disputes between national governments and EU institutions. The Courts ensure the correct interpretation and application of primary and secondary EU law within the EU. It consists of two courts: the Court of Justice and the General Court. (CJEU). Additional challenges are expected from privacy activist Max Schrems and not-for-profit organisation NYOB, who successfully brought cases that invalidated Safe Harbour and Privacy Shield.
Organisations are advised to continue monitoring developments closely and review transferThe movement of data from one place to another. This could be, for example, from one data controller to another, or from one jurisdiction to another. mechanisms. Consider whether your current arrangements provide enough resilience and ensure you have a robust back up plan in place, including possible complementary mechanisms like Standard Contractual Clauses (SCCs).
To learn more about how SCCs work and how they can support your organisation’s transfer arrangement, read our blog.