The US Supreme Court's decision in Trump v. Slaughter just rendered the EU-US Data Privacy Framework legally hollow by stripping the FTC of its independence—the very feature the EU leaned on 259 times in its adequacy decision.
That number matters because EU treaty law, specifically Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights, demands that oversight of data protection be done by an "independent" authority. The European Commission mapped that requirement onto the US by pointing to the supposedly independent FTC. With that independence now ruled unconstitutional, the entire legal underpinning for free data flows from the EU to the US collapses.
The FTC Independence Required by EU Law
Since 2000, the EU has accepted US adequacy by leaning on the FTC as the enforcer of privacy protections. The Commission's 2023 adequacy decision for the EU-US Data Privacy Framework references the FTC 259 times. That decision was already a third attempt after the CJEU killed Safe Harbour (Schrems I) and Privacy Shield (Schrems II) for failing to protect against US surveillance and lack of judicial remedies. This time, the flaw isn't surveillance—it's the lack of an independent watchdog. Max Schrems put it bluntly: "Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US."
What the Supreme Court Decision Changes
The conservative majority in Trump v. Slaughter adopted a "unitary executive" theory: the President must control all executive bodies. That makes the FTC—and any other independent agency—unconstitutional. The Data Protection Review Court, created by Biden Executive Order to provide a redress mechanism, was already a sham—an executive body inside the Justice Ministry, only independent by a revocable order. Now even that fiction is irrelevant because the FTC, the primary oversight body, is no longer independent.
Impact isn't immediate: the Commission decision remains formally in force until repealed or annulled by the CJEU. But the practical effect is immediate for companies relying on SCCs or BCRs. Those mechanisms depend on a risk assessment that assumes independent US oversight bodies like PCLOB or the Data Protection Review Court. That assumption is dead on arrival. Controllers must update their transfer impact assessments now—and the only logical conclusion is that transfers are not legal anymore.
Next Steps: Repeal and Decoupling
noyb has already sent a formal letter demanding the European Commission repeal the adequacy decision in an orderly fashion. The Commission built a "legal house of cards under industry pressure," as Schrems put it, and now must take responsibility. Several EU member states have been moving toward digital sovereignty and decoupling from US cloud providers. Some US providers have already started segregating EU data processing. But the scale of the shift is enormous: millions of EU companies outsourced data processing to US clouds under the false promise of adequacy.
The Commission now faces the unavoidable task of orderly withdrawal from US cloud dependency—a process that will test whether EU digital sovereignty is more than a slogan.
Source: US Supreme Court Just Blew Up EU-US Data Transfers
Domain: noyb.eu
Comments load interactively on the live page.