
Reading time: 4 minutes
The U.S. Supreme Court decision issued on 29 June 2026 (Trump v. Slaughter; hereinafter “Decision”) is likely to affect the legal assessment of international data transfers between the European Union and the United States and may mark a turning point in current practices in this area.
In its decision, the Supreme Court of the United States (“Supreme Court”), relying on the theory of a unified executive branch, concluded that all independent executive agencies operating in the United States are unconstitutional. The decision also directly affects the U.S Federal Trade Commission (“FTC”).
This development is of particular significance from the perspective of European data protection law, as the current EU–US Data Privacy Framework (the “EU–US Data Privacy Framework”, hereinafter “Framework”), adopted by the European Commission’s (“Commission”) Implementing Decision No. 2023/1795, designates the FTC as the independent supervisory authority responsible for ensuring compliance with data protection rules.
In our newsletter, we provide an overview of the most important rules governing data transfer practices between the European Union and the United States, and we also review what changes companies need to prepare for as a result of the Decision.
The regulatory framework for data transfers to third countries under the GDPR and the legacy of the Schrems decisions
Under Regulation 2016/679 on the protection of personal data (“GDPR”), the transfer of personal data to a third country is, as a general rule, lawful only if that country ensures an adequate level of protection. A key consideration in assessing adequacy is whether the third country has an independent and effective data protection supervisory authority capable of effectively enforcing and ensuring compliance with data protection rules. In the absence of such an authority or if it functions inadequately, a system of safeguards comparable to that at the EU level cannot be ensured. For this reason, the Commission may adopt an adequacy decision regarding a third country only if the legal system of the country under review – including through such an independent supervisory authority – ensures an adequate level of protection for personal data.
In this context, it is also important to note that the legal framework governing data transfers from the European Union to the United States has long been fraught with uncertainty. In its decisions in the Schrems I and Schrems II cases, the Court of Justice of the European Union previously invalidated the Safe Harbor framework and, subsequently, the Privacy Shield framework governing data transfers between the EU and the U.S. The court justified its decision by stating that, due to the mass surveillance practices applied in the United States and the lack of effective legal remedies, data subjects are not guaranteed a level of protection in accordance with EU data protection rules.
Thereafter, the current Framework was introduced as a sort of “third-generation” data transfer adequacy decision, which designates the FTC as the independent supervisory authority with respect to the United States. However, as a result of the Decision, it has become unclear whether the conditions necessary for the FTC’s independence continue to be met.
Why is this relevant for EU data controllers?
In the past few decades, many EU companies have outsourced their data processing activities to U.S. cloud service providers. However, the GDPR clearly stipulates that companies may lawfully transfer personal data to a third country – including the United States – only if the transfer is based on appropriate safeguards and a legal basis.
One possible legal basis for data transfers is what are known as adequacy decisions. In the context of relations between the European Union and the United States, the Framework serves currently this function. In the absence of an adequacy decision, data transfers may only take place lawfully if the organization in question provides appropriate safeguards, such as the use of the Standard Contractual Clauses (“SCC”) adopted by the European Commission or the implementation of Binding Corporate Rules (“BCR”).
If it is concluded that the FTC no longer meets the independence requirements set forth in the Framework, it is likely that the Commission will review the Framework in the future and, if necessary, repeal it.
We emphasize that this development may not be limited to data transfers carried out under the Framework. Data controllers who use SCCs or BCRs may also be affected, as, in accordance with the principle of accountability under the GDPR, companies are required to assess, as part of a data transfer impact assessment, whether the laws of the third country ensure the necessary level of protection. If this assessment concludes that the U.S.’s legal system – particularly with regard to government access or remedy mechanisms – does not provide adequate safeguards, then the use of SCCs or BCRs alone is not sufficient to maintain the lawfulness of the data transfer, and therefore they cannot provide an adequate basis for data transfers to the United States.
Recommended steps
Based on the above, the current developments require increased caution from all data controllers involved in international data transfers to the United States. The decision does not require immediate direct action; rather, it calls for a review of internal processes and appropriate risk management:
a comprehensive review of internal procedures governing data transfers;
updating data transfer impact assessments;
assessing whether it is necessary to implement additional technical measures, including, for example, the use of encryption;
identifying alternative data processing solutions.
Summary
It can therefore be concluded that the adequacy of the Framework is not clear; however, the Framework itself remains in effect until the Commission repeals it or the Court of Justice of the European Union annuls it. Consequently, the Decision does not currently have a direct impact on EU data controllers. However, companies are advised to review their practices regarding data transfers to the United States and, if necessary, prepare to implement alternative solutions.
Photo source: pexels.com, Mark Stebnicki