Print this article

Transatlantic Data Flows, Privacy In Focus After EU Court Ruling

Tom Burroughes

5 September 2025

The conflicting interests of data security and financial transparency have been highlighted this week by an EU court’s refusal to annul a 2023 data transfer pact between the US and European Union. 

Earlier this week, a legal challenge brought before the EU’s General Court by French citizen Phillipe Latombe sought to squash the European Commission’s EU-US adequacy decision. Latombe claimed that the Privacy Shield 2.0 framework used for this agreement – replacing the earlier 2020 privacy shield approach – contained shortcomings.

The pact is the 2023 EU-US Data Transfer Framework. 

The matter is significant for private banks, wealth managers and professional services firms whose businesses span the US and European Union. At a time of concerns about cybersecurity breaches, and attempts by governments to crack down on illicit financial flows, the privacy of financial data is a live issue. It can touch on tax information exchanges, such as those involved under the US FATCA legislation and the Common Reporting Standard.

Latombe, a member of the European Parliament, had complained that the agreement allowed for disproportionate data collection, lacks transparency and adequate safeguards for Europeans’ personal information, and offers insufficient legal redress. His was the first such challenge to the agreement. As various media reports said, Latombe needed to show judges that the deal affected him directly as an individual, but he failed to make that case.

More than 2,800 US companies rely on the agreement to conduct business.

In 2023, the European Commission adopted a new adequacy decision – Privacy Shield 2.0 – to enable certain EU-US data transfers, after the former US president Joe Biden signed an executive order providing for a suite of privacy safeguards and protections.

The US-based , said the court’s actions bolstered the agreement, but advised against complacency.

“While today’s [3 September) decision underscores the continuing validity of the DPF , in contracts to ensure compliance in case the DPF would be invalidated in the future,” according to a note from Alex Milner-Smith, partner and co-head of data, privacy and cyber, London, and Lee Ramsay, managing knowlege lawyer, London, at Lewis Silkin.

“So, should an appeal be lodged, there is no need to change anything until the final determination has been handed down but an audit of your data transfer mechanisms would be prudent – and for those who didn’t add in a fallback mechanism now might be the time to do so,” they said.