Data Transfers
/
29 June 2026
On Monday, the US Supreme Court decided in Trump v. Slaughter that the US Federal Trade Commission (“FTC”) may not be independent anymore. Since 2000, the EU has relied on the “independent” FTC as the enforcer of EU-US deals on personal data. According to EU treaty law, such oversight must be independent. In the current EU-US deal, the European Commission relies on the independent FTC 259 (!) times. Max Schrems: “Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US.”
- Commission Implementing Decision EU 2023/1795 on the EU-US Data Privacy Framework (EUR-Lex)
- US Supreme Court Decision inTrump v. Slaughter
- noybletter to the European Commission
The EU-US Data Privacy Framework. Since 1995, the EU generally prohibits the export of personal data to third countries in order to prevent EU privacy rules from being circumvented by simply sending data abroad. While there are exceptions for necessary transfers, ranging from anything like booking a hotel to complex transactions, many EU companies simply outsourced the processing of personal data to US cloud providers. Since 2000, the European Commission has repeatedly accepted that the US is an “adequate” country when it comes to the protection of personal data – allowing free data flows between the EU and the US. The European Court of Justice (CJEU) annulled the Commission’s two previous decisions in the so-called“Schrems I” decision (killing “Safe Harbour”)and“Schrems II” decision (killing the “Privacy Shield”)because of US Surveillance Laws and the lack of judicial remedies in the US. Nevertheless, in 2023 the European Commission issued a third EU-US deal, called the “EU-US Data Privacy Framework”, which was largely a copy of the previously annulled deals.
EU requirement for an independent DPA. EU treaty law (so the EU’s “constitutional” framework), namelyArticle 16(2) TFEUandArticle 8(3) of the Charter of Fundamental Rights, requires that the oversight over data protection matters must be done by an “independent” authority. Because third countries must have “essentially equivalent” protections, it is necessary that any third country that wants to enjoy free flow of personal data from the EU also affords such protections. So far, the US has appointed the “independent” FTC to be the US privacy regulator to meet the EU’s requirement for independent oversight. The EU, in turn, has relied on the FTC a whopping 259 (!) times in it’s EU-US data flow decision.
Max Schrems: “Crucially, the EU constitutional framework requires independent oversight. The only way to change this would be a unanimous vote by all EU Member States to change the EU treaties.”
The requirement for an independent Court. Furthermore, the CJEU also highlighted that the US would need to provide an independent legal redress mechanism in matters of government surveillance. Because the US was unable to pass relevant legislation, the Biden Administration created a “Data Protection Review Court”. Despite being called a “Court” it is in fact an executive body within the US Justice Ministry. It is only “independent” via anExecutive Order(EO) by former President Biden that can be changed by Trump any moment and is not binding for the President.
The “Slaughter” decision: unitary (Trump) executive. In a 180° turn on previous case law, the conservative majority in the US Supreme Court has now decided that the independence of the FTC is unconstitutional. This follows the “unitary executive theory” that the US President must have power overallUS executive bodies, declaring all US laws that make various agencies independent to be unconstitutional. Given that the EU relied on the “independence” of the FTC as a privacy watchdog in almost all cases, the entire structure of the EU-US Data Privacy Framework has just collapsed.
Max Schrems: “Even in the European Commission’s logic, the basis for any EU-US data transfer deal is dead. We call upon the Commission to start an orderly exit from the US cloud – which is not easy, but unfortunately unavoidable. The Commission built a legal house of cards under industry pressure. Now that it clearly collapses, it has to take responsibility.”
Impact not unlimited. Even if all the underpinning of the EU decision is gone, the European Commission’s decision is formally in force until either the European Commission repeals it or the Court of Justice annuls it. Hence, there is no immanent effect. The GDPR also only regulated the transfer of personal data. Non-personal data can flow freely. Furthermore,Article 49 GDPRallows necessary data transfers to any third country. It does, however, not allow to structurally offshore data from the EU, if it is not strictly necessary.
SCCs and BCRs also affected. While some companies may not directly rely on the EU-US Framework and instead formally use SCCs and BCRs, they usually also rely on an “impact assessment”, which in turn relies on formerly independent US executive bodies such as the PCLOB or the Data Protection Review Court. The Supreme Court decision therefore usually affects them too, even if they do not rely on the FTC. Other than controllers relying on a formal Commission Decision, they must immanently update their assessment – and logically come to the conclusion that data transfers are not legal anymore.
Next Steps: Commission must repeal EU-US deal. noybhas sent aformal letter to the European Commissiontoday, asking it to take the appropriate steps to repeal the EU-US data deal in an orderly way. Politically, many EU Member States have already moved towards a “digital sovereignly” approach and announced to decouple from US service providers. Some US service providers also move towards separate EU data processing. However, given that the US still exercises massive pressure on the EU to keep personal data flowing,noybwill also file a lawsuit in the coming weeks, aiming to allow the CJEU to annul the current deal. However, such a lawsuit typically takes 2-3 years until a final decision is reached.
