- Court Intervention: The Court of Justice of the European Union allowed Microsoft to intervene in French lawmaker Philippe Latombe’s EU-US Data Privacy Framework appeal.
- Legal Role: Microsoft can file briefs and join oral hearings supporting the European Commission’s framework defense.
- Business Stakes: The framework supports eligible EU-to-US personal-data transfers for participating US companies.
- Legal Uncertainty: Privacy campaigners argue broader US-law concerns and business legal certainty remain unresolved.
Europe’s top EU-law court, the Court of Justice of the European Union (CJEU), has approved Microsoft’s application to intervene in an appeal over the EU-US Data Privacy Framework. Microsoft can now support the European Commission’s defense of the data-transfer pact in court. CJEU judges have not ruled on the earlier ruling being challenged.
Intervener status lets Microsoft file legal briefs and participate in oral hearings while the European Commission defends the framework. Court procedure can add parties and arguments without deciding whether the underlying adequacy decision survives review. For businesses, the procedural change connects court access to the pact used for eligible EU-to-US personal-data transfers.
What Microsoft Can Do in the Appeal
Since 2023, the EU-US Data Privacy Framework has supported eligible movement of personal data between the European Union and participating US companies. Organizations use that route to move customer, supplier, and employee data. Formal intervention remains narrower than a business-wide guarantee, but it gives Microsoft a channel to put arguments before the judges.
For enterprise customers, the case outcome may affect whether Microsoft and its customers keep using the framework for transfers to participating US companies, including customers and suppliers. Companies that rely on predictable data-transfer routes face a practical question about whether the framework remains available for routine business transfers.
Cloud customers must also weigh separate Microsoft cloud-control measures, including the 2025 EU Data Boundary, Data Guardian tools, and a 2024 European Commission data-protection violation involving cloud-office use. Cloud-control measures remain separate from the pending appeal over the framework.
Framework mechanics are central because the pact was designed to answer earlier European objections to US surveillance redress. US officials created the Data Protection Review Court, the US redress body for surveillance-related complaints. Redress design sits near the center of the appeal because Latombe’s challenge targets whether the review body is independent enough to satisfy EU law.
Why the Framework Remains Contested
French lawmaker Philippe Latombe challenged the Commission’s adequacy decision before the EU General Court. In September 2025, the EU General Court ruling upheld the framework’s validity and rejected Latombe’s challenge.
Latombe’s argument focused on the Data Protection Review Court’s independence. EU judges found safeguards and conditions around judge appointments and court operations, while Latombe argued that a presidential executive order could disregard the body. Latombe moved toward an appeal in October 2025, although the full basis for that appeal has not been made public.
Privacy lawyer and campaigner Max Schrems framed the September 2025 ruling as too narrow to settle broader US-law objections:
“This was a rather narrow challenge. We are convinced that a broader review of US law – especially the use of Executive Orders by the Trump administration – should yield a different result. We are reviewing our options to bring such a challenge. While the Commission may have gained another year, we still lack any legal certainty for users and businesses.”
Max Schrems, Lawyer and privacy campaigner (via noyb.eu)
Schrems’s criticism keeps the dispute focused on legal certainty rather than only on Microsoft’s intervention. His counterargument is that the Commission gained another year while users and businesses lacked certainty. A broader review of US law could reach a different result.
Earlier Transfer Frameworks Explain the Stakes
EU-US transfer fights have reached the CJEU before. Earlier Schrems I and Schrems II rulings invalidated the Safe Harbor transfer framework and the later Privacy Shield framework, predecessors to the current arrangement, while Schrems’ earlier privacy challenges formed a separate strand of privacy litigation.
Together, those older disputes give the current appeal a long-running legal lineage. A CJEU merits ruling may decide whether, in Microsoft’s view, enterprise customers can keep using the framework route for EU-to-US transfers.
