Ksheeraja Satish, LL.M. Class of 2026
Transatlantic transfers of personal data are fundamental to the global digital economy. However, the legal history of these transfer mechanisms has been one of successive invalidations. Each time the European Union (EU) and the United States (U.S.) negotiate a solution, the Court of Justice of the European Union (CJEU) frustrates the arrangement. The critical question is whether the current EU-U.S. Data Privacy Framework (DPF) can finally deliver “essentially equivalent” protection to that of the EU as required under Article 45 of General Data Protection Regulation (GDPR). Under the provision, if the European Commission recognizes that a foreign country provides an “adequate level of protection” comparable to that of the EU, the commission may pass an adequacy decision and allow personal data of its data subjects to flow freely without any additional safeguards.
Adopted in July 2023, DPF represents the Commission’s third attempt at achieving such an adequacy finding under GDPR. DPF, in combination with Executive Order 14086, was designed to address the deficiencies identified in its predecessors—the Safe Harbor Framework and the EU–U.S. Privacy Shield—which were struck down by the CJEU in 2015 and 2020, respectively. The new framework introduced new safeguards to limit U.S. intelligence agencies’ access to data and strengthen the individual redress mechanism by establishing the Data Protection Review Court (DPRC), an independent body intended to provide EU data subjects with a binding remedy against unlawful U.S. surveillance.
But soon after its adoption, Philippe Latombe, a French Member of the European Parliament challenged DPF’s validity before the European General Court, arguing that DPF does not guarantee a level of protection essentially equivalent to that ensured within the EU. His primary grounds of challenge were that DPRC lacked independence and that the bulk the data collection by U.S. intelligence agencies was disproportionate and unlawful. In September 2024, the General Court dismissed his claim, ruling that the U.S. provided an adequate level of protection. While this decision provided short-term relief to DPF-certified U.S. organizations, the matter is far from settled. Latombe’s appeal, filed in October 2025, remains pending before the CJEU. If history is any guide, scrutiny at this level could once again prove fatal. Another invalidation would likely force U.S. organizations to rely on more costly, inflexible alternatives such as standard contractual clauses or binding corporate rules, which have functioned as fallbacks in the past.
To further complicate matters, a future invalidation could now carry much higher stakes in view of the General Court’s ruling in Bindl v. Commission in January 2025. For the first time, the Commission was held liable to pay damages to an individual for an unlawful data transfer on the basis of “non-material damage” resulting from the loss of control over personal data. Thus, Bindl may open the door to large-scale class actions if transfers are later deemed unlawful. If the CJEU invalidates DPF, U.S. organizations could face substantial liability from affected data subjects for data transfers that are later determined to be non-compliant with GDPR.
DPF also faces mounting political instability. In January 2025, three out of five members of the Privacy and Civil Liberties Oversight Board (PCLOB)—the body responsible for overseeing DPF—were removed. Notably, all the dismissed members were Democrats, raising concerns about potential partisan influence. Moreover, with no quorum, PCLOB’s work, including its annual review of DPF’s privacy and intelligence complaint remedies, has been disrupted. This has only deepened the EU’s concerns about the durability of U.S. safeguards.
The recurring cycle of invalidation and replacement raises a deeper structural question: whether the very premise of EU-U.S. data flow through adequacy decisions is flawed. This is because of the fundamental philosophical divide between the EU and U.S which makes it challenging for the U.S.—a consumer-centric jurisdiction—to ever truly match the EU’s human-rights-centric approach when it comes to personal data protection. Without a comprehensive federal privacy statute, and with safeguards largely dependent on executive orders that can be revoked or altered by any future administration, transatlantic data transfers remain legally fragile regardless of how the frameworks are designed. Efforts must move beyond temporary fixes, and toward a system grounded in a durable, rights-respecting framework. Until then, the global digital economy will remain in a state of perpetual regulatory peril.