Skip to content

US Supreme Court Ruling Jeopardizes EU-US Data Protection Framework

The Bottom Line: The constitutional authorization of the US President to remove FTC commissioners without cause jeopardizes the FTC as the core supervisory body of the EU-US Data Protection Framework and thus the lawfulness of data transfers to the US.

On June 29, 2026, the US Supreme Court ruled that the US President may dismiss commissioners of the Federal Trade Commission (FTC) without stating grounds. This weakening of FTC independence calls into question the legal basis of the EU-US Data Protection Framework.

In Trump v. Slaughter, the US Supreme Court decided by a 6-3 majority that statutory restrictions on the President’s removal authority over FTC commissioners are unconstitutional. The dispute arose when President Trump, at the beginning of his second term in 2025, removed FTC commissioners Rebecca Slaughter and Alvaro Bedoya without stated cause, even though federal law permitted removal only for cause, including inefficiency, neglect of duty, or malfeasance.

Chief Justice Roberts grounded the majority opinion in the so-called Unitary Executive Theory: because the US Constitution vests executive power in the President, executive agencies must remain under his control. The ruling thereby weakens a decades-old precedent (Humphrey’s Executor v. United States, 1935) that allowed Congress to shield certain regulatory agencies from arbitrary removal.

For the European Union, this institutional power shift has direct implications for the EU-US Data Protection Framework (DPF). EU data protection law requires that third countries ensure a level of protection equivalent to that of the Union, including independent and effective supervision. The possibility that a central US enforcement agency could be reshaped by presidential decree raises questions about whether the economic oversight of the DPF continues to meet this standard.

Since July 2023, the DPF has formed the legal basis for more than 5,300 US organizations that have certified themselves—including major technology, cloud, advertising and software providers whose services European enterprises use daily. Within the DPF, the FTC is not the sole actor (the Commerce Department administers the certification system, the Department of Transportation plays a role in certain sectors), but it is a central supervisory function. Article 45 of the GDPR and Article 8(3) of the EU Charter of Fundamental Rights require that data protection oversight be conducted independently—a condition that now stands in question.


Source: www.activemind.legal · Published July 2, 2026
Lumi AI News — AI-assisted curation in accordance with Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: