The US Supreme Court has ended the independent oversight of the US Federal Trade Commission (FTC). For privacy organization Noyb, this means the legal basis of the EU–US Data Privacy Framework is no longer valid.
On Monday, in the case Trump v. Slaughter, the US Supreme Court ruled that the Federal Trade Commission will in future be subject to the direction of the US President and will no longer act as an independent agency. This is highly relevant for transatlantic data flows: in its adequacy decision on the Data Privacy Framework, the European Commission refers 259 times to exactly this independence of the FTC.
Noyb draws a clear conclusion: without an independent US supervisory authority, the legal foundation of the entire agreement collapses. In an open letter to the Commission, Max Schrems calls for an orderly withdrawal from the agreement.
Where the agreement comes from
EU law has fundamentally prohibited the transfer of personal data to countries outside the Union since 1995.
In order for companies to still use US cloud services, the European Commission must certify an adequate level of data protection. Two earlier attempts — Safe Harbor and Privacy Shield — were already struck down by the Court of Justice of the European Union in the Schrems I and Schrems II cases, because EU citizens in the US had no effective legal remedies against state surveillance.
The successor adopted in 2023, the Data Privacy Framework, differs only slightly in substance from its failed predecessors. A key requirement for such an adequacy decision under Article 16 TFEU and Article 8 of the EU Charter of Fundamental Rights is an independent supervisory authority in the third country. In the US, this role has so far been fulfilled by the FTC.
Schrems stresses that EU treaty law leaves no room for compromise here; the requirement could only be weakened through a unanimous treaty change by all EU member states.
In addition to the supervisory authority, the Court of Justice of the EU also requires effective judicial redress against surveillance measures. Since the US Congress did not pass such legislation, the Biden administration created the so-called Data Protection Review Court by executive order. Despite its name, it is in fact a unit within the US Department of Justice. Its independence is based solely on a presidential order that can be revoked at any time and does not bind the President himself.
What the Supreme Court changed
The conservative majority of the US Supreme Court has broken with long-standing case law in its Slaughter decision. It is based on the “Unitary Executive” theory: the President must have authority over all executive agencies, making statutory independence of individual bodies unconstitutional.
Because almost the entire argument of the European Commission regarding the adequacy of US data protection relies on FTC independence, Noyb sees the entire foundation of the Data Privacy Framework collapsing. Schrems speaks of a legal “house of cards” built under industry pressure that is now collapsing, for which the Commission must take responsibility.
Transitional period instead of immediate effect
Legally, nothing changes for now: the adequacy decision remains in force until the Commission withdraws it or the Court of Justice of the European Union declares it invalid.
In addition, the GDPR only applies to personal data; there are no restrictions for other types of data.
Companies that rely on Standard Contractual Clauses or Binding Corporate Rules are also affected, as their risk assessments are based on the same US institutions now called into question, such as the PCLOB or the Data Protection Review Court.
Industry reaction
Benjamin Schilz, CEO of European collaboration provider Wire, sees the ruling as a warning sign for organizations that continue to depend on US providers for cloud and communications infrastructure. In his view, Europe has been trying for years to mask a structural sovereignty problem with legal emergency solutions, especially since Safe Harbor and Privacy Shield have already failed.
The Data Protection Review Court, he notes, remains essentially a unit of the US Department of Justice whose existence depends on a presidential order that can be revised at any time. As long as no European courts provide legal certainty, companies remain exposed to a permanent state of uncertainty rather than a reliable IT infrastructure basis.
Digital sovereignty, Schilz argues, is not defined by where data is stored, but by who controls the infrastructure and which law applies. “Europe must stop outsourcing trust,” he summarizes.
What comes next
Noyb intends to file a lawsuit before the Court of Justice of the European Union seeking a formal annulment of the agreement. Based on previous experience, it may take two to three years until a final decision is reached.
(lb)