On 3 September 2025, the European General Court delivered a pivotal judgment, dismissing a challenge by French Member of Parliament Philippe Latombe against the EU–US Data Privacy Framework (DPF). This ruling affirms the framework’s validity, reinforcing its role in facilitating secure and lawful transatlantic data transfers.
What Is the EU–US Data Privacy Framework?
The DPF is a comprehensive agreement between the European Union and the United States, designed to ensure that personal data transferred across the Atlantic is afforded a level of protection equivalent to that within the EU. It addresses concerns raised in previous legal challenges, such as the Schrems II case, by introducing robust safeguards, including the establishment of an independent U.S. Data Protection Review Court and enhanced oversight of U.S. intelligence agencies’ data collection practices.
The Significance of the Court’s Ruling
The General Court’s decision is a significant milestone, as it is the third time in a decade that the EU courts have upheld the adequacy of an EU–US data transfer agreement. Unlike the invalidation of the Safe Harbor and Privacy Shield frameworks in 2015 and 2020, respectively, this ruling provides a stable legal basis for businesses engaged in transatlantic data exchanges.
The Imperative of Appointing a Data Protection Representative
For non-EU companies, particularly those based in the U.S., wishing to engage in data processing activities involving EU residents, compliance with the General Data Protection Regulation (GDPR) is mandatory. A critical aspect of this compliance is the appointment of a Data Protection Representative within the EU.
Under Article 27 of the GDPR, non-EU entities must designate a representative in the EU if they process personal data of individuals located in the EU, unless the processing is occasional, does not include sensitive data, and is unlikely to result in a risk to the rights and freedoms of individuals. The Data Protection Representative acts as a point of contact for EU data subjects and supervisory authorities, ensuring that the company adheres to EU data protection laws.
Why This Matters for Your Business
You must appoint a representative if:
- You are outside the EU.
- You process personal data of EU residents.
- Your processing activities are more than occasional and involve offering goods/services or monitoring behaviour.
The only exemptions are for very limited, occasional processing that does not involve sensitive data.
Building Trust Through Compliance
The recent court ruling is great news for companies moving data across the Atlantic—it gives much-needed clarity and stability. As a provider of Data Protection Representative services, we understand the complexities non-EU companies face in navigating the EU’s data protection landscape. For non-EU companies, particularly those in the U.S., appointing a Data Protection Representative is a mandatory regulatory requirement as well as a strategic step towards fostering secure and trustworthy business relationships within the EU. Book a free 20-minute call with Kanto today to find out how we can help you appoint the right representatives.
Image by macrovector_official on Freepik
