On June 29, 2026, the Supreme Court of the U.S. (SCOTUS) held in Trump v. Slaughter that the U.S. President can dismiss members of the Federal Trade Commission (FTC) at will, rather than only for cause, overruling existing precedent regarding independent agencies. This decision of domestic constitutional law could also change the rules governing transfer of personal data from the European Economic Area (EEA, which includes the 27 European Union countries plus Iceland, Liechtenstein, and Norway) to the U.S.
The EU-U.S. Data Privacy Framework (DPF) relies on the FTC providing independent oversight of participating organizations’ compliance with the DPF. As a result, the DPF is likely to face renewed challenges. After the Slaughter decision, a spokesperson for the European Commission (EC) indicated that the EC has “taken note” of the opinion and “will now carefully analyze any implications it may have for the EU-U.S. agenda.” And a leading European privacy activist, Max Schrems, has declared that “the basis for any EU-U.S. data transfer deal is dead.” Against this backdrop, the EC could decide to exercise its powers to suspend or repeal the DPF, or EU courts may decide to invalidate it. The ruling may also impact the legal landscape for transfers based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), as the FTC’s diminished independence may need to be taken into account when conducting data transfer impact assessments (DTIA).
Background
The EU General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside the EEA unless there is a legal basis for the transfer, which generally means that it is covered by an adequacy decision or the transferring company is able to rely on another valid data transfer mechanism, such as SCCs or BCRs. An adequacy decision is adopted by the EC and recognizes that a non-EEA country (or specific organizations within a non-EEA country) ensures an adequate level of protection, allowing personal data to flow freely from the EEA to the relevant organizations located in that country.
The DPF is one such adequacy decision. It enables U.S. organizations that self-certify to the framework to import personal data from the EEA into the U.S., without having to rely on another data transfer mechanism. The main authority enforcing participating organizations’ compliance with the DPF Principles is the FTC.
The validity of the DPF has been challenged but upheld by the EU General Court (see here), although an appeal of that judgment before the full Court of Justice of the EU (CJEU) is pending. The two predecessors of the DPF, the Safe Harbor and Privacy Shield arrangements, were both invalidated by the CJEU in the landmark Schrems I and Schrems II rulings, illustrating that the CJEU has not hesitated to invalidate transatlantic data transfer frameworks in the past.
The SCOTUS Ruling and Its Implications
The key facts, the SCOTUS’ ruling, and the implications for EU-U.S. personal data transfers are summarized below.
- Facts. In March 2025, President Trump removed the FTC’s two Democratic Commissioners, Rebecca Slaughter and Alvaro Bedoya. In his removal notice to one of them, President Trump indicated that the Commissioners were removed because their continued service was inconsistent with his Administration’s priorities—not for a specific cause. Slaughter brought a lawsuit against her removal, citing the for-cause removal protections established in Humphrey’s Executor v. United States, a SCOTUS decision from 1935, which held that the President could only fire an FTC Commissioner for cause. Bedoya was originally a party to the lawsuit, but his claim was dropped when he voluntarily resigned.
- Ruling. SCOTUS held that the for-cause removal protections violated the separation of powers under the U.S. Constitution and that President Trump could lawfully remove Commissioners at will. Leaving in no doubt of the President’s authority to remove the Commissioner at-will, SCOTUS explicitly overruled the 90-year precedent of Humphrey’s Executor.
- Impact on EU-U.S. personal data flows. The ruling may have a significant impact for companies transferring EEA personal data to the U.S.
- Impact on transfers based on the DPF. The DPF’s validity in EU law depends, among other things, on the FTC acting as an independent enforcement authority. If the FTC is deemed insufficiently independent by the EC, a core assumption underpinning the DPF adequacy decision has materially changed, increasing the likelihood of renewed scrutiny. On the one hand, the EC could decide to suspend or repeal the DPF adequacy decision, though this remains unlikely in the current geopolitical context. On the other hand, privacy advocacy groups such as the NGO None of Your Business (NOYB) have already signaled their intent to pursue an action to have the CJEU invalidate the DPF adequacy decision, which could lead to a “Schrems III” ruling in the future. This would be in addition to the pending CJEU appeal regarding its annulment mentioned above. If the DPF is invalidated, companies would no longer be able to rely on it to transfer EEA personal data to the U.S. In such a case, they would need to quickly switch to alternative data transfer mechanisms, such as SCCs or BCRs.
- Impact on transfers based on SCCs and BCRs. The implications may extend beyond the DPF. Companies transferring personal data outside the EEA must assess, as part of their DTIAs, whether the laws and practices of the recipient country ensure an appropriate level of protection for personal data and whether they need to implement any supplementary measures. So far, companies transferring personal data to the U.S. have generally carried out these assessments on the assumption that the FTC operates as an independent regulator enforcing relevant privacy laws against the U.S.-based recipients of EEA personal data. Given questions about whether the FTC’s independence has been diminished, companies should consider assessing whether this ruling impacts their current DTIAs and data transfer strategy
What Should Companies Do Now?
While the DPF adequacy decision remains valid for the time being, companies that routinely transfer EEA personal data to the U.S. should assess their data transfer strategy. For transfers relying on the DPF, companies could consider taking a belt-and-suspenders approach by implementing SCCs or BCRs in addition to the DPF. For transfers relying on SCCs and BCRs, companies should consider assessing the impact of this ruling and whether the level of protection for EEA personal data remains appropriate. Beyond these practical steps, it is largely a wait-and-see situation, with the EC, the EU courts, and privacy advocacy groups likely to shape the future of the DPF in the months and years ahead.
Compliments of Wilson Sonsini – a member of the EACCNY