CLVPartners

European Commission

Uncertainty Surrounding U.S. Data Transfers: What to expect following the Trump v. Slaughter decision

Reading time: 4 minutes

The U.S. Supreme Court decision issued on 29 June 2026 (Trump v. Slaughter; hereinafter “Decision”) is likely to affect the legal assessment of international data transfers between the European Union and the United States and may mark a turning point in current practices in this area.

In its decision, the Supreme Court of the United States (“Supreme Court”), relying on the theory of a unified executive branch, concluded that all independent executive agencies operating in the United States are unconstitutional. The decision also directly affects the U.S Federal Trade Commission (“FTC”).

This development is of particular significance from the perspective of European data protection law, as the current EU–US Data Privacy Framework (the “EU–US Data Privacy Framework”, hereinafter “Framework”), adopted by the European Commission’s (“Commission”) Implementing Decision No. 2023/1795, designates the FTC as the independent supervisory authority responsible for ensuring compliance with data protection rules.

In our newsletter, we provide an overview of the most important rules governing data transfer practices between the European Union and the United States, and we also review what changes companies need to prepare for as a result of the Decision.

The regulatory framework for data transfers to third countries under the GDPR and the legacy of the Schrems decisions

Under Regulation 2016/679 on the protection of personal data (“GDPR”), the transfer of personal data to a third country is, as a general rule, lawful only if that country ensures an adequate level of protection. A key consideration in assessing adequacy is whether the third country has an independent and effective data protection supervisory authority capable of effectively enforcing and ensuring compliance with data protection rules. In the absence of such an authority or if it functions inadequately, a system of safeguards comparable to that at the EU level cannot be ensured. For this reason, the Commission may adopt an adequacy decision regarding a third country only if the legal system of the country under review – including through such an independent supervisory authority – ensures an adequate level of protection for personal data.

In this context, it is also important to note that the legal framework governing data transfers from the European Union to the United States has long been fraught with uncertainty. In its decisions in the Schrems I and Schrems II cases, the Court of Justice of the European Union previously invalidated the Safe Harbor framework and, subsequently, the Privacy Shield framework governing data transfers between the EU and the U.S. The court justified its decision by stating that, due to the mass surveillance practices applied in the United States and the lack of effective legal remedies, data subjects are not guaranteed a level of protection in accordance with EU data protection rules.

Thereafter, the current Framework was introduced as a sort of “third-generation” data transfer adequacy decision, which designates the FTC as the independent supervisory authority with respect to the United States. However, as a result of the Decision, it has become unclear whether the conditions necessary for the FTC’s independence continue to be met.

Why is this relevant for EU data controllers?

In the past few decades, many EU companies have outsourced their data processing activities to U.S. cloud service providers. However, the GDPR clearly stipulates that companies may lawfully transfer personal data to a third country – including the United States – only if the transfer is based on appropriate safeguards and a legal basis.

One possible legal basis for data transfers is what are known as adequacy decisions. In the context of relations between the European Union and the United States, the Framework serves currently this function. In the absence of an adequacy decision, data transfers may only take place lawfully if the organization in question provides appropriate safeguards, such as the use of the Standard Contractual Clauses (“SCC”) adopted by the European Commission or the implementation of Binding Corporate Rules (“BCR”).

If it is concluded that the FTC no longer meets the independence requirements set forth in the Framework, it is likely that the Commission will review the Framework in the future and, if necessary, repeal it.

We emphasize that this development may not be limited to data transfers carried out under the Framework. Data controllers who use SCCs or BCRs may also be affected, as, in accordance with the principle of accountability under the GDPR, companies are required to assess, as part of a data transfer impact assessment, whether the laws of the third country ensure the necessary level of protection. If this assessment concludes that the U.S.’s legal system – particularly with regard to government access or remedy mechanisms – does not provide adequate safeguards, then the use of SCCs or BCRs alone is not sufficient to maintain the lawfulness of the data transfer, and therefore they cannot provide an adequate basis for data transfers to the United States.

Recommended steps

Based on the above, the current developments require increased caution from all data controllers involved in international data transfers to the United States. The decision does not require immediate direct action; rather, it calls for a review of internal processes and appropriate risk management:

a comprehensive review of internal procedures governing data transfers;

updating data transfer impact assessments;

assessing whether it is necessary to implement additional technical measures, including, for example, the use of encryption;

identifying alternative data processing solutions.

Summary

It can therefore be concluded that the adequacy of the Framework is not clear; however, the Framework itself remains in effect until the Commission repeals it or the Court of Justice of the European Union annuls it. Consequently, the Decision does not currently have a direct impact on EU data controllers. However, companies are advised to review their practices regarding data transfers to the United States and, if necessary, prepare to implement alternative solutions.

Photo source: pexels.com, Mark Stebnicki

Uncertainty Surrounding U.S. Data Transfers: What to expect following the Trump v. Slaughter decision Read More »

Questions regarding the scope of the AI Act

Reading time: 5 minutes

On 12 June 2024, a new era began in the regulation of artificial intelligence (“AI“) with the adoption and publication of the European Union’s Artificial Intelligence Regulation (“AI Act“). The purpose of the legislation is to provide a framework for the safe, transparent, and responsible development and use of AI in the European Union. In order to properly interpret the obligations set out in the AI Act, it is first necessary to clarify exactly which organizations, activities, or technological solutions are covered by the regulation.

In the second part of our series of articles, we will therefore examine the most important rules relating to the scope of the AI Act in order to help our clients start preparing for compliance in advance and to identify whether they are developing or using AI systems in their operations that are subject to the provisions of the AI Act.

The most important rules relating to the scope of the AI Act

Subject of the AI Act

The AI Act essentially covers the regulation of AI systems. Accordingly, it is first important to identify what qualifies as an AI system.

According to the AI Act, an AI system is a machine-based system that is specifically designed to operate with varying levels of autonomy and to be capable of adapting after deployment. These systems analyze inputs for explicit or implicit purposes and generate outputs—such as predictions, content, recommendations, or decisions—that may have an impact on the physical or virtual environment.

What fundamentally distinguishes AI systems from traditional software solutions is their ability to learn from input data, draw conclusions based on that data, and create models. In contrast, simpler software systems based on classic programming approaches—including systems that perform automated operations based solely on predefined, human-set rules—do not have such learning or adaptation capabilities. As a result, these solutions are not considered AI systems and are therefore not covered by the relevant regulations.

Traditional software solutions include applications that operate entirely on predetermined rules and are incapable of independent learning or adaptation. These include traditional calculators, certain basic functions of Microsoft Excel, and performance evaluation software used for financial forecasting, which are only capable of processing historical data and drawing simple statistical conclusions.

It is also important to note that, as a general rule, the AI Act does not apply to certain specific areas. The scope of the regulation does not cover AI systems used for military, defence, or national security purposes, nor does it cover systems, models, and results created specifically for scientific research and development. In addition, the AI Act does not apply to natural persons who use AI systems solely for personal, non-professional purposes.

Territorial and personal scope

The scope of the AI Act is not limited to operators located within the European Union. The regulation applies to all AI systems that are placed on the market, put into service, or used within the internal market of the European Union. Accordingly, in certain cases, the regulation also applies to operators located outside the Union.

The regulation essentially covers all operators who come into contact with AI systems, from development to use. Accordingly, the scope of the AI Regulation may include, among others, developers, service providers, distributors, importers, installers, operators, and users of the systems.

Temporal scope

The provisions of the AI Act will enter into force in stages.

However, it is important to note that certain provisions of the AI Act are already in force. These include, among others, provisions on definitions, rules on AI systems that pose an unacceptable risk (i.e., prohibited AI systems), obligations governing general-purpose AI models, and provisions on AI literacy, regulatory oversight, and sanctions.

The requirement for so-called AI literacy has particular significance. Under this provision, organizations using AI systems are required to ensure that the persons managing or operating the system have an adequate level of knowledge about AI.

According to the current provisions of the AI Act, the majority of the provisions will become applicable on 2 August 2026. However, as part of the Digital Omnibus Package, the European Commission proposed in November 2025 that the application of certain rules be postponed by up to 18 months.

Further uncertainty regarding implementation arises from the fact that the Commission was supposed to publish guidance on the classification of high-risk AI systems by 2 February 2026. These guidelines are key to determining whether a given AI application is considered high-risk and, as a result, subject to stricter documentation, compliance, and oversight requirements. However, the guidelines have not yet been published. In addition, several Member States have encountered difficulties in designating the authorities responsible for implementing the regulation.

As a result, there is still considerable uncertainty regarding the entry into force and practical application of certain provisions.

Domestic regulation

Due to its legislative form, Hungarian regulation is essentially supplementary to EU rules. Accordingly, Act LXXV of 2025 on the implementation of the European Union’s Artificial Intelligence Act in Hungary (“Hungarian AI Act”) applies only to matters, organizations, and AI systems that affect Hungary or its territory.

In terms of temporal scope, the AI Act generally applicable from December 2025, with the exception of the provision on the regulatory sandbox, which will enter into force on 2 August 2026.

Summary

The AI Act regulates systems that can learn from input data, drawing conclusions, or generating outputs autonomously, while traditional software that operates solely according to predefined rules is not covered by its scope. The territorial scope of the AI Act is broad, as it applies not only to entities established in the EU, but also to those who place AI systems on the EU market or use their outputs in the EU. The regulation covers all relevant actors, from the development to the use of the system. Although the rules of the AI Act become applicable in stages, several key provisions are already in force, but the lack of guidelines and institutional conditions for implementation is currently causing uncertainty in practical application.

Photo source: pexels.com, Tara Winstead

Questions regarding the scope of the AI Act Read More »

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.