Will Schrems III Trigger Another Panic Moment for EU–US Data Transfers?

The upcoming “Schrems III case” on 3 September 2025 could invalidate the EU–US Data Privacy Framework (DPF), once again disrupting data transfers between the European Union and the United States and forcing businesses to fall back on alternative solutions such as the Standard Contractual Clauses and Transfer Impact Assessments creating a potential panic moment for many businesses.

On 3 September 2025, the Court of Justice of the European Union (CJEU) will deliver its judgment in the Latombe vs European Commission case. At stake is the future of the EU–US Data Privacy Framework, the adequacy decision adopted in July 2023 to restore a stable legal basis for transatlantic data transfers. If the framework is struck down, companies may once again face the type of regulatory and operational uncertainty that characterized the Schrems II ruling of 2020. Many are already calling this scenario “Schrems III.”

I remember very well what the last invalidation felt like. In July 2020, when the CJEU invalidated the Privacy Shield, I was in Sicily with my family, isolated on a farm during the pandemic. Surrounded by pigs, donkeys, and chickens, and with an unstable internet connection, I was trying to reassure clients who feared they had to suspend their transfers to US technology providers overnight. At the same time, together with my colleague Tommaso Ricci and our DLA Piper team, we were building our legal-tech tool TRANSFER, anticipating that Standard Contractual Clauses (SCCs) would no longer suffice without detailed Transfer Impact Assessments (TIAs).

Five years later, history could be about to repeat itself.

Why the DPF is Under Attack in Latombe vs European Commission

The case was filed in September 2023 by Philippe Latombe, a French Member of Parliament, who directly challenged the Commission’s adequacy decision under Article 263 TFEU. Unlike Schrems I and II, which came through national litigation and preliminary references, this case directly targets the decision itself, which could accelerate judicial review.

Latombe argues that the DPF fails to provide “essentially equivalent” protection for EU citizens as required under Article 45 GDPR and the EU Charter of Fundamental Rights. His main arguments include:

• US surveillance powers remain disproportionate: Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333 still permit large-scale collection of data belonging to non-US persons. Despite reforms under Executive Order 14086, the concern is that US intelligence agencies can still engage in bulk access without the strict necessity and proportionality demanded under EU law.
• The Data Protection Review Court (DPRC) lacks independence: This body, created by the DPF to handle complaints from EU citizens, is embedded within the US Department of Justice. Members are appointed by the Attorney General, and its proceedings are secret, with no opportunity for complainants to see evidence or appeal decisions. The fear is that this mechanism does not meet the Article 47 Charter requirement for an effective remedy before an independent and impartial tribunal.
• Limited redress rights: Unlike in the EU, where courts can annul administrative acts and award damages, the DPRC can only confirm whether a violation occurred and potentially order remedial measures like deletion. This limited scope may not satisfy EU standards of judicial protection.
• Automated decision-making and security safeguards: Latombe also highlights that US law does not regulate automated decisions in a way comparable to Article 22 GDPR, and that the framework lacks robust, enforceable provisions on data security comparable to Article 32 GDPR.

These substantive issues mirror the reasoning that led to the downfall of both the Safe Harbor in 2015 and the Privacy Shield in 2020.

The Commission’s Defence of the Framework

The European Commission insists that the DPF introduces meaningful safeguards. It points to the new US legal instruments, particularly Executive Order 14086, which limits surveillance activities to defined objectives such as counterterrorism and requires oversight mechanisms. The Commission also emphasizes that the DPRC, while novel, represents a genuine improvement compared to the Ombudsperson mechanism rejected in Schrems II.

Nonetheless, the CJEU has consistently taken a strict line: if remedies are not fully independent and transparent, they will not be considered “essentially equivalent.” That makes the DPRC the weak link in the DPF and the most likely reason for invalidation.

Two Scenarios for Schrems III

The judgment could lead to very different futures:

• If the DPF is confirmed: EU–US data transfers will retain a stable legal foundation, and businesses can continue relying on DPF certifications. However, even in this case, the framework will remain politically fragile, and another challenge could arise in the future.
• If the DPF is struck down: Companies will need to fall back on SCCs, BCRs, and TIAs. Unlike 2020, regulators are unlikely to show leniency. Authorities have published extensive guidance since Schrems II, and businesses are expected to demonstrate contingency planning. A return to uncertainty would also reignite geopolitical tensions between Brussels and Washington, already strained by disputes over tariffs, the Digital Markets Act, and the Digital Services Act.

How Businesses Can Prepare

Even though companies are better positioned than they were in 2020, most still rely heavily on US cloud and SaaS providers. Replacing them is rarely realistic. The key is to be prepared for a post-DPF environment.

Here are five practical steps every organization should take now:

1. Map all US data transfers: Use your ROPA to distinguish between transfers relying on the DPF and those covered by SCCs or BCRs.
2. Check your contracts: Ensure all Data Processing Agreements and SCCs are up to date and properly executed, with annexes completed in detail.
3. Audit your Transfer Impact Assessments: Make sure every non-DPF transfer has a documented TIA that realistically evaluates US surveillance risks.
4. Prepare fallback TIAs for DPF-based transfers: Gather the information you would need to draft TIAs quickly if the framework collapses.
5. Coordinate with IT and procurement: Evaluate whether alternative providers exist, what costs would be involved, and how long a switch would take. This knowledge will be essential in board discussions.

From Panic to Preparedness

Back in 2020, Schrems II caused panic. Today, the compliance landscape is different. Organizations have better tools, more mature processes, and clearer regulatory expectations. But the stakes are higher, and regulators will not forgive unpreparedness.

Whether Schrems III confirms or invalidates the DPF, one thing is clear: companies must be ready to adapt quickly. The difference between panic and preparedness will depend on the work done now.

If you want to know more about DLA Piper ‘s legal tech tool to perform Transfer Impact Assessments, you can have a look at a short presentation HERE and reach out to us. Also, you can watch the short video on how to run a Transfer Impact Assessment HERE.