Regulation
The Data Privacy Framework on borrowed time
A US ruling on who controls the Federal Trade Commission has quietly removed a load-bearing assumption beneath every transfer of European data to the United States.
New to the topic? Start with What sovereign compliance actually means.

Photo: Khaleelah Ajibola / Unsplash
The most consequential development this year for organisations that move European data to the United States was not a regulation, a fine, or a breach. It was a domestic American ruling about presidential power, handed down on 29 June, that most compliance teams have not yet connected to their own transfer arrangements. The connection is worth drawing, because the ruling reaches the legal basis on which thousands of companies move personal data across the Atlantic every day.
What the Court decided
In Trump v. Slaughter, the US Supreme Court held that the statutory protection shielding Federal Trade Commission commissioners from dismissal without cause is unconstitutional. To reach that conclusion it overturned Humphrey’s Executor, the 1935 precedent that had defined the American idea of an independent regulatory agency for ninety years. The practical effect is plain: the President may now remove FTC commissioners at will, and an agency built to operate at arm’s length from the White House no longer does.
The Court framed this as a question of the constitutional separation of powers, and it carved out the Federal Reserve as a distinct case. It did not extend the same protection to the FTC. Whatever one makes of the domestic argument, the consequence does not stop at the American shoreline.
Why an American ruling reaches European data
Since 2023, most transfers of personal data from the EU to the United States have relied on the EU–US Data Privacy Framework. The Framework is an adequacy decision, and the distinction matters.
- Definition
- What an adequacy decision is
- An adequacy decision is a formal finding by the European Commission that a non-EU country protects personal data to a standard essentially equivalent to the EU’s own. Once it is granted, data may flow to that country freely, without additional contractual safeguards. The finding is conditional in substance: it depends on the receiving country actually maintaining the protections the Commission relied upon. Remove one of those protections, and the basis for the decision is weakened.
The protection at the centre of the commercial side of the Framework is the independence of the FTC. The Commission’s adequacy decision refers to the agency as an independent enforcer many times over; by one count from the privacy group noyb, 259 times. European law treats that independence as a requirement rather than a preference: Article 8 of the Charter of Fundamental Rights, read with Article 16 of the Treaty, demands that data-protection rules be overseen by an authority that is genuinely independent.
This is not an abstract standard. The absence of genuinely independent oversight and redress was central to the Court of Justice’s reasoning when it struck down the two previous transatlantic arrangements, Safe Harbour in 2015 and Privacy Shield in 2020, both in cases brought by Max Schrems. The supervisor at the heart of today’s Framework has now been declared removable at the President’s discretion. The premise on which the Commission built the decision, and the reality the Supreme Court has just described, no longer match.
The problem is not only the FTC
The strongest version of the argument is broader than the commercial regulator, and it is worth stating precisely.
The Framework rests on two pillars. The commercial pillar is the FTC, which supervises how companies handle European data. The national-security pillar governs how US intelligence agencies may access that data, and it relies on redress mechanisms created by Executive Order 14086: a Data Protection Review Court and the Privacy and Civil Liberties Oversight Board. Each of those has its own fragility. The Review Court exists only by executive order, an instrument a President can rewrite. The oversight board was itself stripped of its quorum in early 2025, when three members were removed; a court ordered two of them reinstated in May 2025, on reasoning that rests on Humphrey’s Executor, the very precedent Slaughter has now overruled, and the government’s appeal was deferred pending Slaughter itself.
The pattern is consistent across both pillars. Much of what made the United States “adequate” in the Commission’s assessment rested on institutions assumed to be insulated from direct political control. That assumption is now weaker wherever one looks.
What happens next
Precision matters here, because the situation is easy to overstate in either direction.
The Framework is not void. The adequacy decision remains in force, certified companies may continue to rely on it, and the European Commission has said only that it has taken note of the ruling and will assess the implications. Nothing has been suspended, and the Commission has strong reasons to move slowly, since an abrupt halt to transatlantic data flows would disrupt a large part of the digital economy on both sides.
The pressure, even so, is now structural rather than rhetorical. noyb has written to the Commission urging an orderly withdrawal, and a separate challenge brought by the French politician Philippe Latombe is already moving through the EU courts; the General Court dismissed it on the merits in September 2025, upholding the Framework, and it is now on appeal to the Court of Justice (Case C-703/25 P). Should that court take up the independence question and apply the standard it set in the Schrems cases, the Framework would become the third transatlantic arrangement struck down in a decade, and the first whose flaw sits in a published opinion that anyone can read rather than in classified surveillance practice.
None of this is imminent. A ruling from the Court of Justice is realistically a 2027 or 2028 matter. The direction of travel, however, is set.
The case that the Framework survives
Intellectual honesty requires the counter-argument, because it is genuine and it may prevail.
The FTC still functions day to day. Removal at will does not stop it enforcing the law, and one reading of the Schrems standard holds that what matters is functional independence in individual cases rather than lifetime tenure. On that reading, the agency can argue that it still acts without political interference on specific matters. The politics point the same way. The Commission has little appetite to detonate transatlantic data flows and every incentive to find that the Framework holds, or to negotiate a repair. A future US Congress could restore removal protections by statute, or place the Review Court on firmer legal footing. The Court of Justice, for its part, could choose to distinguish this case rather than strike, finding that other safeguards still supply adequate protection.
None of that is a strong answer to the independence problem on its legal merits. It is a description of the incentives to look past it. The honest reading is that the Framework may well survive for some time, sustained less by the strength of its foundation than by the reluctance of anyone to be the one who ends it.
What it means if you run compliance in Europe
The practical conclusion is not alarm. It is that the Framework should no longer be treated as bedrock.
Even in the event that it is struck down, transfers to the United States will not simply stop. Standard contractual clauses would step back into the gap, as they did after both previous decisions fell. Those clauses carry a heavier burden, because each transfer then requires an individual assessment of the same US surveillance and oversight questions now back in doubt, yet they keep data moving. The mechanism changes; the flow does not end.
The deeper lesson concerns dependency, and it reaches beyond this one decision. Physical data residency has never been the whole of the question, and this ruling makes the point vivid.
- Definition
- Residency is not protection
- A data centre in Frankfurt does not change the jurisdiction of the company that operates it. Under the US CLOUD Act, American authorities can compel a US-based provider to hand over data it holds, wherever in the world that data is stored. In June 2025, asked under oath before the French Senate whether he could guarantee that French data would never be passed to the US government, Microsoft’s French legal counsel answered simply: “No, I cannot guarantee that.”
When an institution’s data, and increasingly the systems that interpret its regulatory duties, rest on a US adequacy decision that a single foreign court can unsettle, that is not a line in a risk register. It is the shape of the risk. The lesson of Trump v. Slaughter is not that the sky has fallen, but that the ground was never as solid as the contracts implied.
The reframe
The most persuasive argument for a European stack this year was not made by a vendor or a regulator. It was made by the Supreme Court of the United States, which demonstrated in a single opinion that the independence European law requires of the institutions guarding European data is, on the American side, a matter of domestic politics that can change without warning. Sovereignty stops being a slogan at precisely the moment a foreign court can remove the protection your compliance depends on.
This article is commentary on a developing legal situation, not legal advice; organisations should take their own advice on their transfer arrangements.
Frequently asked questions
- Is it still legal to transfer personal data from the EU to the US?
- Yes, for now. The EU–US Data Privacy Framework adequacy decision remains in force and certified companies may still rely on it. The European Commission has said only that it has taken note of the ruling and will assess the implications.
- What did Trump v. Slaughter change?
- On 29 June 2026 the US Supreme Court ruled that the President may remove Federal Trade Commission commissioners at will, ending the agency's independence. The Data Privacy Framework rests on the FTC being an independent supervisor, so its legal foundation is now contestable.
- What should compliance leaders do about it?
- Stop treating the framework as bedrock. Even if it were struck down, transfers would fall back to standard contractual clauses with a heavier burden of case-by-case transfer assessments. The deeper issue is dependency on a US adequacy decision that a single court can unsettle.