EU cross-border data transfers

The EU-US Data Privacy Framework's Independence Pillar Has Collapsed — and noyb Is Already Moving to Finish It

The Supreme Court's June 29 FTC ruling removed the institutional guarantee cited 259 times in the 2023 adequacy decision, triggering a likely Schrems III.

DPF at Risk: By the Numbers People of Internet Research · EU 259 FTC citations in DPF Times FTC independence is cited as… 5,300+ DPF-certified companies US organizations certified to rece… 91 yrs Precedent overturned Humphrey's Executor shielded indep… €1.7T Annual transatlantic trade EU-US annual trade in goods and se… peopleofinternet.com

Key Takeaways

The Architecture of the Deal

The European Commission's 2023 adequacy decision for the EU-US Data Privacy Framework (Commission Implementing Decision EU 2023/1795, adopted July 10, 2023) was crafted to answer a precise legal question posed by the Court of Justice of the European Union: does the United States provide "essentially equivalent" data protection to the EU? The answer rested heavily on one institutional guarantee — that the Federal Trade Commission, as the primary civil enforcement authority for the DPF's commercial pillar, would operate independently of presidential control.

That guarantee no longer exists.

What the Supreme Court Did

On June 29, 2026, a 6-3 Supreme Court majority decided Trump v. Slaughter (Case No. 25-332), overturning the 91-year-old precedent of Humphrey's Executor v. United States (1935). Under Humphrey's Executor, Congress could protect the heads of multi-member regulatory agencies — including FTC commissioners — from removal except for "inefficiency, neglect of duty, or malfeasance in office." Chief Justice Roberts, writing for the majority, concluded that the FTC "unquestionably exercises executive power, and must therefore be controlled by the President." Presidents can now dismiss FTC commissioners at will, for any reason or none at all.

The ruling's immediate context was President Trump's removal of Commissioner Rebecca Kelly Slaughter without cause. Its structural consequences extend far beyond that single personnel decision.

259 References and a Legal House of Cards

The DPF's adequacy decision references FTC independence no fewer than 259 times, according to noyb, the Vienna-based privacy advocacy organization founded by Max Schrems. In a letter to European Commission officials sent days after the ruling, Schrems declared the DPF's legal foundation dead and announced plans to file a challenge before the Court of Justice of the European Union — a challenge already being called Schrems III in anticipation of a third consecutive invalidation of a transatlantic data transfer regime.

"The basis for any EU-US data transfer deal is dead. The Commission built a legal house of cards under industry pressure. Now that it clearly collapses, it has to take responsibility." — Max Schrems, noyb

Schrems's legal argument is structurally tight. EU law requires that enforcement authorities for data protection exercise genuinely independent oversight — a standard the CJEU applied rigorously when it struck down Privacy Shield in Schrems II (2020), finding that the US Ombudsperson mechanism was too embedded in executive authority. Trump v. Slaughter has now applied the same logic directly to the FTC: commissioners serve at the President's pleasure. The Commission cannot credibly argue that such an agency qualifies as an independent watchdog under EU law.

The Department of Transportation, which shares enforcement authority under the DPF for certain sectors, faces the same structural problem under the ruling's logic. The Data Privacy Review Court — the independent redress mechanism the Biden administration created to satisfy Schrems II concerns — is itself an executive-branch body. There is no structural independence anywhere in the enforcement chain.

The Case for Not Panicking

There is a serious counterargument to immediate action, and it deserves honest engagement. The Commission has spent years building the DPF and the political relationships that surround it. The framework currently supports data flows for more than 5,300 certified US organizations, covering cloud infrastructure, advertising, enterprise software, and consumer services that millions of Europeans use daily. A precipitous withdrawal of the adequacy decision would cause immediate, concrete harm to EU companies dependent on US cloud providers.

The adequacy decision also remains formally valid. No court has annulled it. Law firm Hunton Andrews Kurth confirmed shortly after the ruling that "the adequacy decision remains in force, as no court has invalidated the DPF, and U.S. companies certified under the DPF remain eligible to receive covered transfers of personal data."

The Commission is right to take time. But taking time is not the same as avoiding the underlying question. As IAPP researcher Joe Jones observed, the Commission will have to either explain convincingly why FTC independence was not actually foundational to the DPF — a hard case given 259 explicit citations — "or it's going to have to say why it's not okay."

What Comes Next for Companies and Diplomats

Companies operating under DPF certification should not immediately switch transfer mechanisms, but contingency planning is now prudent. Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) remain available as legal bases for transfers. They require transfer impact assessments that must now grapple with a politically exposed enforcement landscape, but they provide a functional fallback if the CJEU eventually annuls the DPF.

The CJEU challenge noyb is preparing will take an estimated two to three years to resolve. During that window, the Commission faces a slow-moving credibility problem: it staked the DPF on FTC independence, and must now explain what that independence was ever worth.

The structural fix requires an act of Congress — legislation that either restores meaningful removal protections for enforcement officials or creates a wholly new statutory mechanism for DPF oversight that doesn't depend on commissioner-level independence. That is a heavy lift in Washington's current political environment, but the alternative is a third consecutive collapse of the transatlantic data regime, each more disruptive than the last.

Proportionate Regulation, Proportionate Consequences

The EU-US data relationship underpins roughly €1.7 trillion in annual transatlantic trade, and both Meta and Google have warned they would withdraw from European markets if data transfers to the US were prohibited. Those threats are worth noting as context, not capitulating to — but they illustrate the asymmetric stakes of legal rupture.

The pro-innovation, proportionate position is not to ignore a real structural flaw, but to insist the response match the problem's timeline. Maintain the DPF while urgently negotiating a legislative fix; use the CJEU's multi-year timeline as diplomatic leverage to push Congress toward a durable statutory solution; and prepare SCCs as a fallback rather than weaponizing the adequacy decision as a trade instrument.

Trump v. Slaughter was decided on separation-of-powers grounds with no data protection dimension whatsoever. Its collateral damage to EU-US digital relations is substantial and real — and it is damage that both sides have a strong interest in repairing before a third Schrems ruling forces a reckoning that neither wanted.

Sources & Citations

  1. Commission Implementing Decision EU 2023/1795 (DPF Adequacy Decision)
  2. European Commission — EU-US Data Transfers Official Page
  3. noyb — US Supreme Court Just Blew Up EU-US Data Transfers
  4. The Record — Supreme Court Decision Threatens EU-US Data Transfer Agreement
  5. SCOTUSblog — Court Allows Trump to Fire FTC Commissioner