EU cross-border data transfers

Trump v. Slaughter Severs the FTC Independence That the EU-US Data Privacy Framework Is Built On

A 6-3 Supreme Court ruling eliminating FTC independence has triggered noyb's third challenge to transatlantic data transfers, threatening €1.7 trillion in annual commerce.

Trump v. Slaughter: The Numbers Behind the Data Tran… People of Internet Research · EU 259 FTC Independence Citations Times the DPF adequacy decision re… €1.7T Annual Trade at Risk Annual transatlantic commerce the … 6-3 SCOTUS Vote Margin Justices in majority vs. dissent i… 91 years Precedent Overturned Humphrey's Executor (1935) overrul… peopleofinternet.com

Key Takeaways

The Ruling That Rewrote 91 Years of Precedent

On June 29, 2026, the U.S. Supreme Court handed down its 6-3 decision in Trump v. Slaughter (No. 25-332), explicitly overturning Humphrey's Executor v. United States (1935) — a 91-year precedent that had allowed Congress to shield agencies like the Federal Trade Commission from at-will presidential removal. Writing for the majority, Chief Justice John Roberts held that "subordinates who exercise the President's power are subject to removal by him," rendering the FTC's statutory for-cause protections an unconstitutional restraint on the executive. Justices Sotomayor, Kagan, and Jackson dissented, with Sotomayor warning the ruling "discards constitutional democracy in favor of one that distorts the structure of Government to fit the majority's theory of unitary, total executive control."

The domestic implications are sweeping. For transatlantic data governance, they may be existential.

The DPF's Structural Dependency on FTC Independence

The EU-US Data Privacy Framework — adopted by the European Commission on July 10, 2023 — was the third attempt to legalise routine data flows across the Atlantic, following Safe Harbour (invalidated in 2015) and Privacy Shield (invalidated July 2020). Its adequacy decision (Implementing Decision EU 2023/1795) designates the FTC as the primary enforcement authority for more than 5,300 self-certified U.S. companies. By noyb's count, the Commission's adequacy text references FTC independence 259 times.

That dependence is structural, not incidental. Under GDPR Article 45, the Commission must certify that a recipient country provides oversight by an "independent" data protection authority. The FTC was that authority for commercial data. With Trump v. Slaughter establishing that FTC commissioners serve entirely at the president's pleasure, the independence claim the Commission certified has been eliminated by the very country whose regime it certified.

On June 29 itself, noyb founder Max Schrems sent a formal letter to European Commission Commissioner McGrath demanding repeal of the adequacy decision and announcing plans to file suit before the Court of Justice of the EU. "The basis for any EU-US data transfer deal is dead," Schrems declared. "We call upon the Commission to start an orderly exit from the U.S. cloud — which is not easy, but unfortunately unavoidable."

Steelmanning the Privacy Concern

Before dismissing this as litigious overreach, the EU's position deserves a fair hearing. The DPF was born from legitimate surveillance concerns: the Schrems II ruling in July 2020 invalidated Privacy Shield because FISA Section 702 and Executive Order 12333 gave U.S. intelligence agencies access to European data without the proportionality safeguards EU law requires. An independent FTC was always imperfect protection against signals-intelligence collection — but it was the agreed structural anchor for commercial enforcement. With that anchor eliminated by a domestic constitutional ruling, European supervisory authorities have a coherent legal question before them. The strongest version of the pro-challenge argument is this: if the EU's adequacy finding is premised on oversight body independence, and that independence is now constitutionally void, the finding cannot survive without remediation.

The Problem Requires Congress, Not Courts

Acknowledging the legal coherence of Schrems III does not mean the right response is immediate framework collapse. The 2-3 year CJEU litigation timeline noyb envisions creates prolonged uncertainty for the €1.7 trillion in annual transatlantic commerce the DPF enables. Meta and Google have said they would exit Europe if data transfers to the U.S. became legally impossible — a threat no regulator or court should test at scale.

The Commission's rational response is to act on two tracks simultaneously. First, defend the existing framework on the grounds that the DPF remains in force — no court has invalidated it — and that GDPR adequacy asks whether protection is essentially equivalent, not constitutionally identical by U.S. standards. Second, press Washington for a legislative fix: a narrowly drafted statute restoring independence protections for the FTC and the Data Protection Review Court (established by Biden's Executive Order 14086) specifically for their roles in fulfilling international data governance obligations. Notably, Roberts' majority carved out the Federal Reserve from its unitary-executive logic, suggesting targeted statutory exceptions for functions with international treaty implications may survive constitutional scrutiny. That is the opening Congress should use.

This is harder politically than letting CJEU litigation run its course. But it is the only durable solution.

What Companies Must Do Now

For the thousands of businesses relying on the DPF today, the immediate situation is clear: the framework is still legally valid. But the risk premium on DPF-dependent transfers has risen materially. Companies should audit their data flows mapped to DPF certifications, update Transfer Impact Assessments to reflect the diminished FTC independence, and ensure contractual fallbacks — primarily Standard Contractual Clauses with supplementary measures — are in place. The lesson from Schrems I and II is consistent: businesses that diversified their legal transfer mechanisms weathered each disruption far better than those relying solely on the invalidated framework.

The Bet the Commission Made

Schrems has called the DPF "a legal house of cards built under industry pressure." That characterisation is partisan — the Commission negotiated in good faith with the tools available under a Biden-era executive architecture. But it contains a genuine structural warning. Building an adequacy finding on an executive order and an FTC independence statute that constitutional scholars had long flagged as vulnerable was a calculated risk. Trump v. Slaughter has made that risk concrete.

The DPF is not dead today. But whether it survives the next two to three years depends not on a European court's schedule, but on whether Washington can pass legislation quickly enough to give the CJEU a reason to uphold it.

Sources & Citations

  1. noyb: US Supreme Court Just Blew Up EU-US Data Transfers
  2. European Commission: EU-US Data Transfers
  3. SCOTUSblog: Trump v. Slaughter ruling summary
  4. The Record: Supreme Court Decision Threatens EU-US Data Sharing
  5. Hunton: FTC Ruling Prompts Fresh Scrutiny of EU-US DPF