Skip to content

US Supreme Court Undermines Legal Basis for EU-US Data Transfer

In brief: The independence of the FTC was a core component of the EU adequacy decision; with its elimination by the Supreme Court, the Data Privacy Framework loses its legal foundation.

The US Supreme Court has stripped the Federal Trade Commission of its independence, thereby attacking the justification for the EU-US Data Privacy Framework, which the EU Commission cites 259 times in its adequacy decision. This opens the door to a new legal crisis like those that followed Safe Harbor and Privacy Shield.

In Trump v. Slaughter, the US Supreme Court decided that the Federal Trade Commission must henceforth be subject to the direction of the US President and thus loses its independence. Data protection association Noyb and legal expert Max Schrems view this as a direct attack on the Data Privacy Framework: the EU Commission explicitly bases its adequacy decision for transatlantic data transfer on FTC independence at 259 points.

The legal background has been core European data protection law since 1995: personal data may in principle not be transferred to countries outside the EU. Two predecessor agreements (Safe Harbor and Privacy Shield) have already been struck down by the Court of Justice of the European Union because EU citizens in the US lacked effective remedies against state surveillance. The Data Privacy Framework (2023) contains scarcely any substantive improvements but again relies on the alleged independence of the FTC as well as the “Data Protection Review Court” – a department of the US Department of Justice created by presidential order and subject to revocation at any time. Article 16 TFEU and Article 8 of the Charter of Fundamental Rights require an independent supervisory authority for adequacy decisions; according to Schrems’ legal assessment, this can only be altered through unanimous EU treaty amendment.

The Supreme Court follows the doctrine of the “Unitary Executive” with its decision: the President needs full authority to direct all executive agencies, which makes statutory independence unconstitutional. Noyb sees the foundation of the Data Privacy Framework crumbling and calls in an open letter to the Commission for an “orderly exit” from the agreement. Schrems speaks of a “legal house of cards” that was built under industry pressure and is now collapsing.

In the short term, nothing changes legally: the adequacy decision remains valid until the Commission withdraws it itself or the Court of Justice of the European Union voids it. However, companies that resort to standard contractual clauses or binding corporate rules also cannot assume they are unaffected – their risk assessments likewise rely on the now questionable US institutions.


Source: www.it-daily.net · Published July 2, 2026
Lumi AI News — AI-assisted curation pursuant to Article 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.2.

Share on: