Search

EU-U.S. Data Privacy Framework at risk following U.S. Supreme Court ruling

Yalcin Erleblebici

Yalcin Erleblebici

Guest author from activeMind AG

A recent ruling by the U.S. Supreme Court confirms that the President of the United States may dismiss the leadership of independent authorities without grounds. This could affect the supervisory body responsible for the EU-U.S. Data Privacy Framework (DPF), calling into question the DPF as the basis for transatlantic data flows.

We explain the ruling, what data protection activist Max Schrems subsequently announced, what this means for companies in the EU, and what you can do to protect your organisation.

What did the U.S. Supreme Court decide and why is it relevant for Europe?

In Trump v. Slaughter (No. 25-332), the U.S. Supreme Court ruled on 29 June 2026, by a majority of 6 to 3, that statutory restrictions on the President’s power to remove Commissioners of the Federal Trade Commission (FTC) are contrary to the Constitution of the United States. The dispute arose after President Donald Trump, at the beginning of his second term in early 2025, dismissed the democratically appointed FTC Commissioners Rebecca Slaughter and Alvaro Bedoya without citing any statutory ground for removal, even though federal law had permitted dismissal only on grounds of inefficiency, neglect of duty, or misconduct in office.

Chief Justice Roberts, who authored the majority opinion, based the decision on the so-called unitary executive theory: Since the Constitution vests executive powers in the President, executive agencies must be subject to presidential control. Statutory protections shielding FTC Commissioners from at-will presidential dismissal are therefore unconstitutional.

In practical terms, the ruling significantly weakens the independence of agencies such as the FTC and effectively displaces the central premise of Humphrey’s Executor v. United States (1935), the precedent that had allowed Congress to insulate certain collegially structured regulatory bodies from at-will dismissal by the President.

What may sound like a specific decision on institutional design in Washington can have considerable consequences for the European Union, in particular for the EU-U.S. Data Privacy Framework (DPF).

EU law on data transfers asks whether the third country ensures a level of protection essentially equivalent to that guaranteed within the Union. That assessment includes independent and effective supervision. If a central U.S. enforcement authority can be reshaped through immediate presidential dismissal, the EU must ask whether the commercial oversight underpinning the DPF continues to meet that standard.

What role does the FTC play in the EU-U.S. Data Privacy Framework?

The EU-U.S. Data Privacy Framework, formally Commission Implementing Decision (EU) 2023/1795, has formed the legal basis for many transatlantic transfers since July 2023. More than 5,300 U.S. organisations have self-certified under the Framework, including major providers in the fields of technology, cloud computing, advertising, software and business services whose offerings European companies use on a daily basis.

The operational transfer basis is Art. 45 of the General Data Protection Regulation (GDPR): The European Commission may decide that a third country ensures an adequate level of protection, whereupon personal data may flow without additional transfer authorisations. This adequacy assessment must be read in conjunction with Article 8(3) of the Charter of Fundamental Rights of the European Union, which requires that compliance with data protection rules be subject to control by an independent authority.

Within the DPF, the FTC is not the only actor, but it is a central one. The Department of Commerce administers the self-certification system, whilst the FTC enforces compliance for most participating organisations, and the Department of Transportation (DoT) plays a more limited role for certain companies in the transport sector. Private dispute resolution bodies can support remedies but do not replace public enforcement.

Any substantial loss of FTC independence is therefore legally significant for the commercial pillar of the DPF. The data protection organisation noyb, led by Max Schrems, argues in a letter to the European Commission dated 30 June 2026 that no other US authority can remedy this deficiency. The DoT is equally part of the executive branch and faces the same independence problem under the logic of Trump v. Slaughter. Private redress mechanisms likewise cannot provide the independent public supervision required under EU law.

Does the ruling also affect other guarantees of the Framework?

The FTC question concerns the commercial enforcement side of the DPF. noyb further contends that the ruling has consequences for the separate architecture of the Framework with regard to government access and redress in relation to surveillance measures. These questions should be considered analytically separately, but both feed into the same adequacy question: whether the United States continues to offer protection that is essentially equivalent to EU law.

The DPRC, established by President Biden’s Executive Order 14086, is housed within the U.S. Department of Justice and is intended to provide data subjects in the EU with a redress mechanism for complaints about US intelligence activities. noyb argues that if Congress cannot create independent executive bodies by statute, a President cannot establish equivalent independence by executive order either. A future President could moreover amend or revoke such an order.

The PCLOB provides limited transparency and oversight with respect to U.S. surveillance programmes. It was established by statute as an independent body. Under noyb’s reading of Trump vs. Slaughter, its statutory independence is now subject to the same constitutional objection.

The implications are not limited to DPF-certified transfers. Organisations relying on SCCs must continue to carry out and update Transfer Impact Assessments. Those assessments should now consider whether weakened independent supervision in the United States diminishes the level of protection available to data subjects.

Why is this constitutional conflict not easy to resolve?

The problem may constitute a structural constitutional conflict rather than a temporary political disagreement. EU primary law requires independent and effective supervision as part of the protection of personal data. The new approach of the U.S. Supreme Court to presidential dismissal powers could make it difficult or impossible to guarantee such independence for executive agencies such as the FTC.

This is significant because the usual political corrections may not suffice. A change of government in Washington could alter enforcement priorities, but would not eliminate the constitutional position stated in the Supreme Court ruling. Amending the EU Treaties would require unanimity among the Member States. Amending the U.S. Constitution is even less realistic. The result is a lasting legal divergence between two constitutional orders, not merely a political dispute about data protection enforcement.

What is Max Schrems planning and what will happen to the DPF?

Following Trump vs. Slaughter, noyb has announced that it is preparing a legal challenge to the DPF before the Court of Justice of the European Union (CJEU). Max Schrems and noyb have a track record that European data protection practitioners know well. In Schrems I (2015), the CJEU declared the Safe Harbour regime invalid. In Schrems II (2020), it annulled the EU-U.S. Privacy Shield. Both rulings forced thousands of companies to reassess their transfer mechanisms and created what noyb now refers to as a recurring compliance cliff.

The noyb challenge is expected to rely on the constitutional incompatibility described above. An earlier, separate challenge to the DPF brought by French parliamentarian Philippe Latombe was dismissed by the General Court of the European Union on procedural grounds. The anticipated noyb case is likely to be broader in scope and more substantive in nature.

In parallel, noyb has written to the European Commission and Commissioner McGrath, calling for an orderly exit from the DPF. noyb demands a planned repeal of Implementing Decision (EU) 2023/1795 with appropriate transitional periods, as well as the inclusion of the question of U.S. data transfers in the Commission’s broader tech sovereignty agenda. In the letter, noyb states that it regards litigation as a last resort and would prefer a managed transition over another abrupt legal rupture.

What should organisations do now?

The current legal position is clear but unstable: Commission Implementing Decision (EU) 2023/1795 remains formally in force unless and until it is repealed by the Commission or annulled by the Union courts. Organisations may continue to rely on the DPF today. That reliance should, however, be documented and accompanied by contingency planning, rather than treated as risk-free.

Organisations should neither panic nor prematurely abandon the DPF whilst it remains valid. They should, however, treat the ruling as a material change to the risk environment for U.S. transfers and prepare for possible supervisory guidance, Commission action, or changes to the legal position resulting from court judgments.

The following steps are recommended.

Establish which personal data are transferred to which US-based providers, for which purposes and on which basis: DPF, SCCs, Binding Corporate Rules (BCRs), derogations, or another mechanism.

Update TIAs to reflect the revised analysis of FTC and DoT independence, and assess whether any supplementary measures for each relevant transfer remain sufficient.

For critical providers, review current DPF certification status, contractual fallback clauses, sub-processor chains, audit rights, and termination or migration options.

Pay particular attention to special categories of personal data, employee data, data relating to minors, health data, financial data, large-scale monitoring, and core operational systems.

Where the risk profile is high or migration appears feasible, evaluate whether EU-based or otherwise lower-risk alternatives are economically and technically viable.

Follow publications and communications from the European Commission, the European Data Protection Board (EDPB), and national data protection authorities. Their responses will shape enforcement expectations and the practical transition between adequacy decisions and appropriate safeguards for transfers of personal data to third countries.

Conclusion: Prepare before the next cliff edge is reached

Trump vs. Slaughter is more than a dispute over a niche area of US constitutional law. The ruling exposes a potential incompatibility between the U.S. Supreme Court’s understanding of executive control and the EU’s requirement for independent and effective data protection supervision. This incompatibility once again places the legal foundation of the EU-U.S. Data Privacy Framework under pressure.

Schrems III is not yet inevitable and the DPF has not been declared invalid. The risk is, however, now concrete enough that organisations should act before a future CJEU ruling could annul the adequacy decision. The prudent course is to act whilst there is still time for an orderly transition.

Compliance as a competitive advantage

We make data-driven business models possible - in full compliance with the European legislation!

Contact us!

Secure the knowledge of our experts!

Subscribe to our free newsletter: