European General Court Affirms EU-US Data Privacy Framework: Companies May Resume Transatlantic Data Flows

After many years of judicial tug-of-war over transatlantic data transfers, the European General Court has upheld the EU-US Data Privacy Framework (DPF). This ruling brings an end to the uncertainty that began after the invalidation of Safe Harbour and Privacy Shield in the Schrems I (2015) and Schrems II (2020) cases. Companies can once again rely on the DPF for transfers of personal data between Europe and the US, which will prove to be a lifeline for sectors that rely on uninterrupted digital flows. 

Why This Matters? 

The EU-US data corridor supports hundreds of billions of euros in trade each year. Cloud services, cross-border payments, social media platforms and medical research also run on these digital pipelines. Without a lawful mechanism, companies could face enforcement proceedings and heavy compliance costs under GDPR violations. The court has provided stability for the time being by recognising the DPF, but the shadow of Schrems I and II still looms.  

Key Observations 

1. Oversight and Surveillance 

The controversy centred on whether the newly formed Data Protection Review Court (DPRC) lacked independence and whether mass data collection by US intelligence agencies undermines the rights of European citizens. The Court found that the DPRC’s composition, appointment process, and removal limitations ensured its independence, and that the availability of ex post judicial review satisfied the “essential equivalence” test. 

2. Corporate Certainty 

By rejecting the revocation petition, the Court maintained predictability for businesses on both sides of the Atlantic. US companies that have self-certified under the DPF will continue to receive European personal data, while European exporters were spared the costly and complex process of relying solely on contractual clauses or binding corporate rules. 

3. Risk of future litigation 

The Court clarified that the Commission must continue to monitor US behaviour and has the power to suspend, modify or revoke the adequacy determination if safeguards are weakened. Also, the decision is appealable to the Court of Justice of the European Union within two months and ten days. This leaves open the possibility of further judicial review in the future. 

The Need for Strategic Compliance 

While this decision provides relief, businesses should not take it as carte blanche. Data exporters will need to continually monitor US congressional and executive activity and Commission reports to ensure that the safeguards on which transfers rely remain valid.   Compliance with GDPR principles, vendor management and internal accountability frameworks continue to remain essential. Companies should have backup plans ready for possible repeal in the future, given that earlier frameworks like Safe Harbour and the Privacy Shield fell under judicial review. 

This decision by the European General Court ensures short-term stability for EU-U.S. data transfers, but it does not eliminate uncertainty. Surveillance practices, institutional independence, and ongoing political circumstances may pose new challenges in the future. For organisations, this is simultaneously a relief and a warning: relief that data flows can continue for now, and a warning that strong compliance and vigilance are still essential. 

https://informationsecuritybuzz.com/european-court-upholds-eu-u-s-data-privacy-framework-clearing-path-for-transatlantic-data-flows

EU-U.S. data transfers are secure for now, but vigilance is vital. Stay updated with Tsaaro Consulting at www.tsaaro.com.  

News of the Week 

1. Google Deploys Gemini AI On-Prem to Enhance Privacy and Compliance 

Google is now integrating its Gemini AI models into its on-prem cloud infrastructure through Google Distributed Cloud (GDC). This move is aimed at focusing on security so that companies in regulated sectors such as healthcare, banking and government can use generative AI and keep tight control over sensitive data. 

GDC features Nvidia Hopper and Blackwell GPUs with automatic load balancing and confidential computing support, which ensures high availability and secure processing for AI workloads. Gemini’s capabilities include multimodal understanding of text, images, audio, and video, which opens up opportunities for use cases such as intelligent chatbots, AI-assisted document summarisation, code generation, and multilingual collaboration. 

https://www.networkworld.com/article/4051804/google-adds-gemini-to-its-on-prem-cloud-for-increased-data-protection.html

2. California Bill on “Surveillance Pricing” Largely Struck Down 

Legislators in California tried to impose a sweeping ban on “surveillance pricing”. Surveillance pricing is the practice where companies set prices based on consumers’ personal data, such as browsing history, income level or location tracking. The bill, however, was significantly narrowed by the state Senate Appropriations Committee and now applies only to grocery prices. Lobbying from tech giants and retail companies played an important role. They argued that such personalisation is part of modern e-commerce and brings competitive offers to consumers. 

Privacy advocates say unregulated surveillance pricing creates a “two-tiered market” where vulnerable groups pay higher prices. For example, you could be charged more for home delivery of medication if your location shows you live in a remote area. This rollback reflects a broader trend that, while California may often be a privacy pioneer, corporate interests still continue to set the boundaries of consumer protections. 

https://www.dataprivacyandsecurityinsider.com/2025/09/the-price-you-pay-california-largely-strikes-down-bill-banning-surveillance-pricing/

3. FTC Clamps Down on Children’s Data Privacy: Robot Toys and AI Companies Under Scrutiny 

The United States Federal Trade Commission (FTC) is increasing oversight over children’s data privacy, especially as AI and connected devices reach every household. In one case, the FTC took action against Apitor Technology Co., a robot toy maker that it alleges illegally sent children’s voice recordings and location data to servers in China without parental consent. 

At the same time, the FTC is preparing to question major AI manufacturers on how generative AI impacts children’s mental health, data security, and access to harmful content. These developments show that protecting children’s digital rights is now becoming a central front of AI governance. Given bipartisan support, the US could soon have tougher legislation similar to Europe’s Digital Services Act. 

https://www.theepochtimes.com/us/ftc-takes-action-against-robot-toy-maker-for-allegedly-sending-childrens-info-to-china-5911382 and https://www.reuters.com/business/ftc-prepares-grill-ai-companies-over-impact-children-wsj-reports-2025-09-04  

4. ICE Gains Controversial Spyware Capabilities 

In a controversial development, US Immigration and Customs Enforcement (ICE) has purchased commercial spyware tools, which reignited a debate over surveillance and civil liberties. According to reports, ICE’s new capabilities could give them remote access to devices, location tracking, and even the ability to turn on microphones. These powers were previously limited to only intelligence agencies. 

Privacy advocates say it blurs the line between domestic law enforcement and intelligence operations, especially for immigrant communities that already face disproportionate surveillance. The purchase points to a global trend that, as spyware becomes cheaper and more easily available, more government agencies, not just intelligence, are adopting it. This raises serious questions about accountability and balance: Where should the line be drawn between security and privacy? 

https://www.wired.com/story/ice-has-spyware-now