On June 29, 2026, the U.S. Supreme Court ruled 6-3 in Trump v. Slaughter that the Federal Trade Commission's 'for-cause' removal protections are unconstitutional. Chief Justice Roberts, writing for the majority, overturned Humphrey's Executor v. United States (1935) — a ninety-year-old precedent that had shielded FTC commissioners from at-will presidential dismissal. Under the Court's holding, FTC commissioners now serve at the president's pleasure. What sounded like a domestic administrative-law case has detonated a legal crisis across the Atlantic.
For the thousands of German companies that transfer employee records, customer data, and analytics to US cloud providers under the EU-US Data Privacy Framework, the ruling has knocked out the load-bearing wall.
The DPF Was Built on FTC Independence
The EU-US Data Privacy Framework — adopted by the European Commission as Implementing Decision EU 2023/1795 on July 10, 2023 — was specifically designed to address the structural defects that sank its predecessor, Privacy Shield, in Schrems II (2020). A central element of the Commission's adequacy determination was that the FTC functions as 'an independent authority composed of five Commissioners' who could be removed only 'for inefficiency, neglect of duty, or malfeasance in office.'
That constitutional guarantee appears 259 times in the DPF adequacy decision. This is not a footnote; it is the framework's enforcement architecture. GDPR Article 45 requires that an adequacy decision reflect 'independent data protection supervision' in the recipient country. With the FTC now legally subject to at-will presidential control, that requirement cannot be satisfied under the Commission's own stated reasoning.
NOYB Moves the Same Day
Privacy organisation noyb, founded by Max Schrems, published a detailed legal analysis within hours of the ruling and dispatched a formal letter to the European Commission. 'Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US,' Schrems said. NOYB also announced plans to file a CJEU challenge within weeks to formally annul the adequacy decision — litigation that could take two to three years to resolve.
It is worth steelmanning NOYB's position before dismissing it as reflexive activism. The legal argument is substantive. Article 45(3) of the GDPR explicitly requires the Commission to monitor developments that could affect adequacy decisions and to repeal them when conditions change. Trump v. Slaughter is a direct, verifiable constitutional change — not a speculative risk or policy shift. If the Commission declines to act, it faces the scenario NOYB is already preparing to litigate: a Schrems III that invalidates the DPF without transition provisions, precisely as happened with Safe Harbor in 2015 and Privacy Shield in 2020. NOYB's specific demand — an 'orderly withdrawal with transition periods' — is actually the business-friendly outcome. It is the sudden overnight invalidations that cause operational chaos.
German Companies in the Crosshairs
Germany's exposure is acute. Approximately 71% of German companies currently purchase cloud services from US providers, according to industry surveys. The DPF provided a single legal basis for those transfers without requiring individualised contracts or transfer impact assessments for each relationship. Over 2,800 organisations hold active DPF certifications globally — that entire population now operates on contested legal ground.
Companies using Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) as a fallback face a compounded problem. SCCs require Transfer Impact Assessments (TIAs) that evaluate whether US oversight bodies can effectively protect EU data subjects. With the FTC's independence constitutionally stripped, those TIAs must now account for the absence of structurally independent enforcement — making a positive adequacy conclusion legally difficult to defend.
The DPF formally remains valid: the Commission has not revoked it, and the CJEU has not annulled it. Companies face no immediate enforcement action today. But the history of this recurring crisis teaches a consistent lesson: adequacy decisions collapse without grace periods. German SMEs that rely on US cloud infrastructure for payroll processing, CRM systems, or HR data should treat the current window as finite.
What the European Commission Should Do
A proportionate response would look like this: the Commission opens a formal Article 45 review, publishes a legal opinion on whether the DPF remains compliant following Trump v. Slaughter, and — if the conclusion is negative — announces an orderly wind-down with a 12-to-18-month transition period and clear guidance on which fallback mechanisms remain viable. That is a harder political path than silence, but it is the responsible one.
What would be disproportionate is either a sudden revocation with no transition (repeating the Schrems II shock) or political silence that leaves companies operating on a framework whose legal foundation is openly contested. The Commission's first annual DPF review, published in October 2024, expressed confidence in the framework's durability. That confidence must now be stress-tested against new constitutional facts.
The Deeper Pattern
Trump v. Slaughter is the third iteration of the same structural problem: the US makes a regulatory commitment that satisfies EU adequacy standards at the moment of signing; US constitutional or political conditions then change; a legal challenge exposes that the commitment is no longer operative; and the CJEU invalidates the agreement. A durable solution would require either a US federal privacy statute whose enforcement guarantees cannot be undone by executive action, or a technical architecture — end-to-end encryption, sovereign key management, category-level data localisation — that reduces reliance on the political independence of US regulators.
For German companies, the practical course is immediate: map US-bound data flows, prepare SCC addenda with US cloud vendors, update TIAs to reflect the post-ruling environment, and identify which workloads could be repatriated to European infrastructure at manageable cost. The window for orderly preparation is open. After a Schrems III ruling, it will not be.