The Supreme Court Just Eliminated FTC Independence – and the EU-US Data Privacy Framework May Not Survive It
The legal scaffolding holding together EU-US data transfers just took a direct structural hit. On June 29, 2026, the United States Supreme Court issued a 6-3 decision in Trump v. Slaughter that makes FTC commissioners removable at presidential will – eliminating the statutory independence the agency has operated under since 1935. For European organizations relying on the EU-US Data Privacy Framework to legally transfer personal data to US cloud providers, this is not a speculative compliance risk. It is a structural defect at the foundation of the entire adequacy decision.
The European Commission adopted the EU-US Data Privacy Framework in July 2023 following years of negotiation after Schrems II invalidated Privacy Shield in 2020. The adequacy decision rests on a critical legal premise: that the FTC operates as an independent enforcement authority capable of holding US organizations accountable for GDPR-equivalent data protection obligations. According to NOYB’s analysis of the adequacy decision, the Commission cited FTC independence 259 times in that document. The Supreme Court just made that independence unconstitutional.
Max Schrems, the Austrian privacy advocate whose prior challenges dismantled both Safe Harbor and Privacy Shield, wasted no time. On June 30, his advocacy organization NOYB sent a formal letter to the Commission demanding an orderly withdrawal from the DPF adequacy decision, calling the framework a “legal house of cards.” A CJEU challenge – already referred to as Schrems III – is expected within weeks. If the prior two cases are any indication, the adequacy decision will not survive it.
Standard contractual clauses and Binding Corporate Rules – the backup transfer mechanisms most EU organizations actually rely on – are also exposed. Transfer impact assessments for these mechanisms routinely relied on assumptions about independent US oversight bodies, many of which are now subject to presidential removal. The entire legal architecture of EU-US data transfers is under pressure. Organizations that have not yet completed a formal risk assessment of their EU-US data flows — mapping each transfer, its legal basis, and its dependency on US enforcement independence — should treat that inventory as the first compliance action this ruling requires.
Key Takeaways
The Supreme Court eliminated FTC independence.
In Trump v. Slaughter (June 29, 2026), a 6-3 majority held that statutory removal protections for FTC commissioners are unconstitutional, applying the “unitary executive theory” and overturning 90 years of precedent under Humphrey’s Executor v. United States.
The EU-US Data Privacy Framework is structurally compromised.
The European Commission cited FTC independence 259 times in its 2023 DPF adequacy decision – the legal foundation that allows EU organizations to freely transfer personal data to US cloud providers.
Schrems III is coming.
Privacy advocacy group NOYB sent a formal letter to the European Commission on June 30 demanding an orderly withdrawal from the DPF adequacy decision and announced plans to file a CJEU challenge within weeks.
Standard Contractual Clauses and BCRs face collateral damage.
Transfer impact assessments for SCCs and Binding Corporate Rules typically relied on assumptions about independent US enforcement bodies now subject to presidential removal.
Data sovereignty is no longer a premium option.
Organizations that built their data strategy around DPF adequacy – storing EU personal data with US hyperscalers – face legal transfer risk that on-premises, private cloud, or sovereign EU cloud deployments eliminate entirely. A data governance framework that maps every EU personal data flow to its transfer basis is the prerequisite for understanding the full scope of exposure.
A Complete Checklist of GDPR Compliance
What the DPF Adequacy Decision Said About FTC Independence – and Why It Now Matters
The Commission’s July 2023 adequacy determination was a 100-page legal argument built on a central empirical claim: that the United States provides a level of data protection “essentially equivalent” to that guaranteed under EU law. One pillar of that equivalency was FTC independence.
The GDPR requires that data protection enforcement be conducted by independent supervisory authorities free from political instruction or executive control. The FTC, under the 1935 Humphrey’s Executor precedent, had statutory removal protections that insulated commissioners from presidential interference. The Commission cited this independence repeatedly – 259 times – in justifying the adequacy determination.
That foundation is now gone. Trump v. Slaughter applies the “unitary executive theory” to hold that Congress cannot insulate independent agency heads from presidential removal. The FTC’s enforcement of DPF commercial privacy obligations can now be directed, constrained, or effectively overridden by executive preference. EU law’s requirement for genuinely independent data protection supervision is, as a practical matter, unmet.
The European Data Protection Board had already raised reservations about the DPF in earlier advisory opinions, noting that full structural independence requirements were not satisfied. Those concerns look prescient today. A CJEU appeal of the General Court’s September 2025 decision upholding the DPF (Case C-703/25 P) was already pending. Schrems III will add a substantially strengthened factual record to that challenge. CJEU proceedings of this kind typically run two to three years, but the compliance risk does not wait for a final ruling. Organizations operating under GDPR compliance obligations and NIS2 compliance requirements face supply chain and data governance obligations that the DPF uncertainty now directly affects.
The SCC and BCR Exposure Nobody Is Talking About
Most commentary on Trump v. Slaughter has focused on organizations formally enrolled in the DPF. The exposure runs considerably deeper. Standard Contractual Clauses are the mechanism most EU organizations actually use for US data transfers – and they are not insulated from this ruling.
SCCs do not provide automatic protection. Under Schrems II, organizations relying on SCCs must conduct a Transfer Impact Assessment evaluating whether the US destination provides adequate data protection in practice. Those TIAs have consistently rested on a specific factual assumption: that independent US agencies, including the FTC, provide meaningful civil enforcement of privacy obligations without executive interference. That assumption is no longer accurate.
The TIA framework developed by the European Data Protection Board specifically asks organizations to assess the independence of oversight mechanisms in the destination country. An honest answer to that question, post-Trump v. Slaughter, is materially different from what organizations put on paper in 2023.
Supervisory authorities approved Binding Corporate Rules on the basis that US parent companies operated under independently-enforced legal obligations – assumptions the Supreme Court has now altered. None of this means EU-US data transfers must stop immediately. The DPF adequacy decision formally remains in force until the Commission repeals it or the CJEU annuls it, and SCCs remain technically available. But data compliance teams that are not revisiting their transfer impact assessments right now are not managing this risk. TIAs that were defensible in 2023 may not hold up under scrutiny today. A data breach or regulatory inquiry that surfaces a legally deficient TIA post-Trump v. Slaughter would be difficult to defend — the ruling is now public record, and supervisory authorities will evaluate whether organizations updated their TIA analysis in light of it.
How the Schrems III Challenge Will Unfold
NOYB’s June 30 letter demanded two things: an orderly Commission withdrawal from the DPF adequacy decision, and a public acknowledgment that its legal basis has collapsed. The Commission’s response – declining to comment pending internal analysis – follows the script of both prior challenges.
The Commission will hold out for as long as possible. Trans-Atlantic data flows are worth over €877 billion, and the Commission has no political appetite to cut the wire unilaterally. It will wait for the CJEU to force the issue. NOYB will file its challenge within weeks, targeting the adequacy decision directly on the FTC independence ground.
Schrems I (2015) invalidated Safe Harbor after finding that US law failed to meet EU standards of independent, proportionate enforcement. Schrems II (2020) invalidated Privacy Shield because FISA Section 702 surveillance was disproportionate and lacked independent judicial oversight. Schrems III will argue that DPF enforcement mechanisms no longer meet EU independence requirements following Trump v. Slaughter. The Court’s reasoning in the prior two cases maps directly onto the factual situation this ruling has created – the argument almost writes itself.
A two-to-three year CJEU timeline means an extended period of legal uncertainty – not an immediate transfer ban, but a compliance risk that builds as the case progresses. Organizations with significant EU-US data flows should be planning now for a scenario in which the adequacy decision is annulled and no successor arrangement is immediately available. Data residency and data sovereignty architectures that eliminate cross-border transfer dependency are the only structural solution to that scenario. Organizations should also assess whether their encryption key management practices — specifically whether EU personal data is encrypted with keys that US cloud providers cannot access — provide a meaningful TIA supplemental control during the uncertainty period.
Data Sovereignty as Risk Architecture – Not Just a Compliance Preference
For years, data sovereignty compliance was a premium feature – something organizations with heightened sensitivity or defense-sector obligations pursued, while most enterprises relied on adequacy decisions and SCCs. Trump v. Slaughter changes that calculus.
Organizations that depend on US hyperscalers – AWS, Azure, GCP – for storing and processing EU personal data face a structural risk they cannot hedge by updating contractual terms or revising a privacy policy. The legal mechanism authorizing the transfer may be invalidated by a court ruling outside their control, on a timeline they cannot predict. When that happens, they face either an operational shutdown of data flows or an emergency migration to EU-resident infrastructure. Neither outcome is manageable without preparation.
The answer is to stop depending on the adequacy determination entirely. Data localization – storing and processing EU personal data within EU jurisdiction – removes the cross-border transfer question. Data that never leaves EU territory does not require a legal transfer basis under GDPR, because there is no cross-border transfer to authorize. Data minimization applied alongside localization — retaining only the EU personal data strictly necessary for each processing purpose, subject to defined retention periods — reduces the volume of data requiring localized storage and the regulatory surface area associated with it.
Kiteworks secure data exchange is deployable on-premises, in a private cloud within EU jurisdiction, or in sovereign EU cloud infrastructure – giving organizations complete control over where sensitive content is stored and processed. For European organizations processing personal data under GDPR, this means the DPF adequacy decision’s validity is simply irrelevant to their compliance posture. They have removed the dependency.
Kiteworks’ zero trust architecture ensures that even when sensitive content flows across organizational or geographic boundaries, access is governed by granular, policy-enforced access controls that satisfy GDPR compliance requirements independent of any US-EU adequacy framework. Every file transfer, email attachment, and API-driven exchange is logged with a tamper-evident audit trail – the kind of demonstrable accountability regulators demand when adequacy frameworks come under legal challenge.
What European Organizations Must Do Right Now
The period between now and the CJEU’s eventual ruling is not a grace period. It is a risk management window. Organizations that use this time to reduce their dependence on US-based data processing will be in a fundamentally stronger position than those who wait for an annulment ruling before acting.
Start with a data privacy audit: a complete inventory of EU personal data flows to US-based processors, with an analysis of the legal transfer mechanism for each. Organizations relying on DPF adequacy should evaluate SCC fallback options now, with updated TIAs that reflect the post-Trump v. Slaughter factual record. Organizations relying on SCCs should revisit existing TIAs and document their updated analysis of US enforcement independence.
Longer term, the decision is architectural. If you are storing EU personal data with a US hyperscaler, you can accept the legal uncertainty and plan for disruption, or you can migrate to EU-resident data infrastructure and remove the question from the equation. That migration takes time – time that is better spent starting now than scrambling when a ruling forces it.
GDPR compliance has always required a lawful basis for each category of personal data processing. Cross-border transfers to the US have relied on DPF adequacy as that basis for three years. The prudent response to what just happened is to document the risk, inform your DPO, update your DPIA for affected processing activities, and begin the migration work. Organizations subject to DORA obligations should additionally flag the FTC independence change as a material update to any ICT third-party risk assessments that cited US civil enforcement as a mitigating control.
One more dimension: NIS 2 Directive obligations. Operators of essential and important entities face rigorous supply chain risk requirements. A US cloud provider whose data protection enforcement is no longer independent from executive control is a supply chain risk that NIS2 risk assessments must now address. Supply chain risk management for EU-regulated organizations just became materially more complex.
To learn more about building a data architecture that doesn’t depend on the continued validity of EU-US adequacy frameworks, schedule a custom demo today.
Frequently Asked Questions
In Trump v. Slaughter (June 29, 2026), the US Supreme Court held 6-3 that statutory removal protections for FTC commissioners are unconstitutional. Applying the “unitary executive theory,” the Court overturned the 1935 Humphrey’s Executor precedent and ruled that the president may remove independent agency heads at will. For EU data privacy law, this matters because EU law requires data protection enforcement to be conducted by authorities that are independent of executive control. The FTC was the primary US enforcement body cited in the DPF adequacy decision – 259 times – and that independence is now gone. The factual premise underlying the adequacy determination no longer holds. Organizations should treat this ruling as triggering an obligation to update their regulatory compliance documentation — specifically TIAs and DPIAs that cited FTC independence as a mitigating factor in US transfer risk assessments.
Yes – as of this writing, the DPF adequacy decision formally remains in force. The Commission has not repealed it, and no CJEU judgment has annulled it. NOYB has demanded orderly withdrawal, and the Commission has declined to act immediately. Schrems III is expected within weeks, and proceedings typically take two to three years to conclude. Organizations certified under DPF may technically continue relying on it, but treating it as settled ground is a mistake. Revisiting data compliance posture and building contingency plans for an invalidation scenario is the right move now, not later. The Kiteworks Private Data Network deployed within EU jurisdiction eliminates the DPF dependency entirely — EU personal data that never crosses the Atlantic requires no adequacy decision and no TIA.
Almost certainly yes, to some degree. SCCs require Transfer Impact Assessments that evaluate whether the US provides adequate data protection in practice, including through independent enforcement mechanisms. Trump v. Slaughter changes the factual record those TIAs rested on. Revisit your TIAs, update the analysis of US enforcement independence, and consult with your DPO about whether prior conclusions remain defensible. Binding Corporate Rules face the same re-evaluation. Technical safeguards such as customer-controlled encryption keys strengthen TIA conclusions by demonstrating GDPR-aligned controls that exist independently of US enforcement conditions. Organizations should also review their data governance documentation to confirm that every SCC-covered data flow has a current, documented TIA — a supervisory authority inquiry following an invalidation ruling will focus on whether organizations updated their assessments after Trump v. Slaughter.
Schrems I (2015) invalidated Safe Harbor because US intelligence surveillance gave authorities effectively unrestricted access to EU personal data. Schrems II (2020) invalidated Privacy Shield because FISA Section 702 surveillance was disproportionate and lacked independent judicial oversight. Schrems III will target the DPF on the ground that its FTC-based enforcement mechanism is no longer independent following Trump v. Slaughter. The earlier cases were primarily about surveillance access; Schrems III is about enforcement independence. The CJEU’s reasoning in both prior cases applies directly here. Organizations should be reviewing their data sovereignty strategy in light of where Schrems III is headed, not just how long it will take. Organizations that have established EU-resident data infrastructure before the ruling will face no operational disruption; those that have deferred will face an emergency migration with no runway. A DPIA update that models the Schrems III invalidation scenario as a near-term risk — rather than a speculative future event — gives boards and DPOs the evidence basis for accelerating migration investment.
Kiteworks secure data exchange can be deployed on-premises or in private cloud infrastructure within EU jurisdiction, which means EU personal data never crosses the Atlantic and the adequacy framework question never arises. For organizations that cannot immediately migrate out of US-hosted environments, Kiteworks provides data sovereignty compliance capabilities, comprehensive audit logging, and zero-trust access controls that strengthen Transfer Impact Assessment conclusions and demonstrate GDPR-aligned data governance. Kiteworks also supports NIS2 and DORA compliance requirements that EU-regulated organizations face alongside their GDPR obligations. For organizations in regulated sectors — financial services under DORA, essential entities under NIS2, healthcare under sector-specific rules — the combination of EU-resident deployment and Kiteworks’ unified audit trail across all content channels gives compliance teams the demonstrable governance record that supervisory authorities expect to see when adequacy frameworks come under challenge.
Additional Resources
- Blog Post The Tug-of-War Over Your Data: How the CLOUD and SHIELD Acts Pit Security vs. Privacy
- Blog Post Secure Sensitive Data by Mapping DSPM to Your Compliance Goals
- Brief Top 3 FERPA Violations and How to Avoid Them
- Blog Post Executive Order 14117: Protecting Americans’ Bulk Sensitive Personal Data
- Blog Post Need NIS2 Compliance? Start With ISO 27001