Germany cross-border data flows

Trump v. Slaughter Eliminates the FTC Independence Cited 259 Times in the EU-US Data Privacy Framework, Triggering Calls for Revocation

A 6-3 SCOTUS ruling overturning 90 years of precedent has demolished the structural guarantee underlying transatlantic data transfers, leaving German companies in legal limbo.

EU-US Data Framework After Trump v. Slaughter People of Internet Research · Germany 259 FTC Citations in DPF Times EU adequacy decision cited F… 90 yrs Precedent Overturned Humphrey's Executor (1935) shielde… 2,800+ DPF Certified Companies Organisations globally relying on … $7.1T Transatlantic Economic Ties Value of the EU-US economic relati… peopleofinternet.com

Key Takeaways

On June 29, 2026, the U.S. Supreme Court ruled 6-3 in Trump v. Slaughter that the Federal Trade Commission's 'for-cause' removal protections are unconstitutional. Chief Justice Roberts, writing for the majority, overturned Humphrey's Executor v. United States (1935) — a ninety-year-old precedent that had shielded FTC commissioners from at-will presidential dismissal. Under the Court's holding, FTC commissioners now serve at the president's pleasure. What sounded like a domestic administrative-law case has detonated a legal crisis across the Atlantic.

For the thousands of German companies that transfer employee records, customer data, and analytics to US cloud providers under the EU-US Data Privacy Framework, the ruling has knocked out the load-bearing wall.

The DPF Was Built on FTC Independence

The EU-US Data Privacy Framework — adopted by the European Commission as Implementing Decision EU 2023/1795 on July 10, 2023 — was specifically designed to address the structural defects that sank its predecessor, Privacy Shield, in Schrems II (2020). A central element of the Commission's adequacy determination was that the FTC functions as 'an independent authority composed of five Commissioners' who could be removed only 'for inefficiency, neglect of duty, or malfeasance in office.'

That constitutional guarantee appears 259 times in the DPF adequacy decision. This is not a footnote; it is the framework's enforcement architecture. GDPR Article 45 requires that an adequacy decision reflect 'independent data protection supervision' in the recipient country. With the FTC now legally subject to at-will presidential control, that requirement cannot be satisfied under the Commission's own stated reasoning.

NOYB Moves the Same Day

Privacy organisation noyb, founded by Max Schrems, published a detailed legal analysis within hours of the ruling and dispatched a formal letter to the European Commission. 'Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US,' Schrems said. NOYB also announced plans to file a CJEU challenge within weeks to formally annul the adequacy decision — litigation that could take two to three years to resolve.

It is worth steelmanning NOYB's position before dismissing it as reflexive activism. The legal argument is substantive. Article 45(3) of the GDPR explicitly requires the Commission to monitor developments that could affect adequacy decisions and to repeal them when conditions change. Trump v. Slaughter is a direct, verifiable constitutional change — not a speculative risk or policy shift. If the Commission declines to act, it faces the scenario NOYB is already preparing to litigate: a Schrems III that invalidates the DPF without transition provisions, precisely as happened with Safe Harbor in 2015 and Privacy Shield in 2020. NOYB's specific demand — an 'orderly withdrawal with transition periods' — is actually the business-friendly outcome. It is the sudden overnight invalidations that cause operational chaos.

German Companies in the Crosshairs

Germany's exposure is acute. Approximately 71% of German companies currently purchase cloud services from US providers, according to industry surveys. The DPF provided a single legal basis for those transfers without requiring individualised contracts or transfer impact assessments for each relationship. Over 2,800 organisations hold active DPF certifications globally — that entire population now operates on contested legal ground.

Companies using Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) as a fallback face a compounded problem. SCCs require Transfer Impact Assessments (TIAs) that evaluate whether US oversight bodies can effectively protect EU data subjects. With the FTC's independence constitutionally stripped, those TIAs must now account for the absence of structurally independent enforcement — making a positive adequacy conclusion legally difficult to defend.

The DPF formally remains valid: the Commission has not revoked it, and the CJEU has not annulled it. Companies face no immediate enforcement action today. But the history of this recurring crisis teaches a consistent lesson: adequacy decisions collapse without grace periods. German SMEs that rely on US cloud infrastructure for payroll processing, CRM systems, or HR data should treat the current window as finite.

What the European Commission Should Do

A proportionate response would look like this: the Commission opens a formal Article 45 review, publishes a legal opinion on whether the DPF remains compliant following Trump v. Slaughter, and — if the conclusion is negative — announces an orderly wind-down with a 12-to-18-month transition period and clear guidance on which fallback mechanisms remain viable. That is a harder political path than silence, but it is the responsible one.

What would be disproportionate is either a sudden revocation with no transition (repeating the Schrems II shock) or political silence that leaves companies operating on a framework whose legal foundation is openly contested. The Commission's first annual DPF review, published in October 2024, expressed confidence in the framework's durability. That confidence must now be stress-tested against new constitutional facts.

The Deeper Pattern

Trump v. Slaughter is the third iteration of the same structural problem: the US makes a regulatory commitment that satisfies EU adequacy standards at the moment of signing; US constitutional or political conditions then change; a legal challenge exposes that the commitment is no longer operative; and the CJEU invalidates the agreement. A durable solution would require either a US federal privacy statute whose enforcement guarantees cannot be undone by executive action, or a technical architecture — end-to-end encryption, sovereign key management, category-level data localisation — that reduces reliance on the political independence of US regulators.

For German companies, the practical course is immediate: map US-bound data flows, prepare SCC addenda with US cloud vendors, update TIAs to reflect the post-ruling environment, and identify which workloads could be repatriated to European infrastructure at manageable cost. The window for orderly preparation is open. After a Schrems III ruling, it will not be.

Sources & Citations

  1. Trump v. Slaughter — Cornell LII (full ruling text)
  2. EU DPF Adequacy Decision EU 2023/1795 — EUR-Lex
  3. NOYB: US Supreme Court Just Blew Up EU-US Data Transfers
  4. Heise: House of Cards — US Ruling Could Shatter Transatlantic Data Flow
  5. SCOTUSblog: Court Allows Trump to Fire FTC Commissioner, Overturns Major Restraint on Presidential Power
  6. Ogletree: Supreme Court Holds FTC For-Cause Removal Protections Violate Separation of Powers