CLVPartners

supreme court

Uncertainty Surrounding U.S. Data Transfers: What to expect following the Trump v. Slaughter decision

Reading time: 4 minutes

The U.S. Supreme Court decision issued on 29 June 2026 (Trump v. Slaughter; hereinafter “Decision”) is likely to affect the legal assessment of international data transfers between the European Union and the United States and may mark a turning point in current practices in this area.

In its decision, the Supreme Court of the United States (“Supreme Court”), relying on the theory of a unified executive branch, concluded that all independent executive agencies operating in the United States are unconstitutional. The decision also directly affects the U.S Federal Trade Commission (“FTC”).

This development is of particular significance from the perspective of European data protection law, as the current EU–US Data Privacy Framework (the “EU–US Data Privacy Framework”, hereinafter “Framework”), adopted by the European Commission’s (“Commission”) Implementing Decision No. 2023/1795, designates the FTC as the independent supervisory authority responsible for ensuring compliance with data protection rules.

In our newsletter, we provide an overview of the most important rules governing data transfer practices between the European Union and the United States, and we also review what changes companies need to prepare for as a result of the Decision.

The regulatory framework for data transfers to third countries under the GDPR and the legacy of the Schrems decisions

Under Regulation 2016/679 on the protection of personal data (“GDPR”), the transfer of personal data to a third country is, as a general rule, lawful only if that country ensures an adequate level of protection. A key consideration in assessing adequacy is whether the third country has an independent and effective data protection supervisory authority capable of effectively enforcing and ensuring compliance with data protection rules. In the absence of such an authority or if it functions inadequately, a system of safeguards comparable to that at the EU level cannot be ensured. For this reason, the Commission may adopt an adequacy decision regarding a third country only if the legal system of the country under review – including through such an independent supervisory authority – ensures an adequate level of protection for personal data.

In this context, it is also important to note that the legal framework governing data transfers from the European Union to the United States has long been fraught with uncertainty. In its decisions in the Schrems I and Schrems II cases, the Court of Justice of the European Union previously invalidated the Safe Harbor framework and, subsequently, the Privacy Shield framework governing data transfers between the EU and the U.S. The court justified its decision by stating that, due to the mass surveillance practices applied in the United States and the lack of effective legal remedies, data subjects are not guaranteed a level of protection in accordance with EU data protection rules.

Thereafter, the current Framework was introduced as a sort of “third-generation” data transfer adequacy decision, which designates the FTC as the independent supervisory authority with respect to the United States. However, as a result of the Decision, it has become unclear whether the conditions necessary for the FTC’s independence continue to be met.

Why is this relevant for EU data controllers?

In the past few decades, many EU companies have outsourced their data processing activities to U.S. cloud service providers. However, the GDPR clearly stipulates that companies may lawfully transfer personal data to a third country – including the United States – only if the transfer is based on appropriate safeguards and a legal basis.

One possible legal basis for data transfers is what are known as adequacy decisions. In the context of relations between the European Union and the United States, the Framework serves currently this function. In the absence of an adequacy decision, data transfers may only take place lawfully if the organization in question provides appropriate safeguards, such as the use of the Standard Contractual Clauses (“SCC”) adopted by the European Commission or the implementation of Binding Corporate Rules (“BCR”).

If it is concluded that the FTC no longer meets the independence requirements set forth in the Framework, it is likely that the Commission will review the Framework in the future and, if necessary, repeal it.

We emphasize that this development may not be limited to data transfers carried out under the Framework. Data controllers who use SCCs or BCRs may also be affected, as, in accordance with the principle of accountability under the GDPR, companies are required to assess, as part of a data transfer impact assessment, whether the laws of the third country ensure the necessary level of protection. If this assessment concludes that the U.S.’s legal system – particularly with regard to government access or remedy mechanisms – does not provide adequate safeguards, then the use of SCCs or BCRs alone is not sufficient to maintain the lawfulness of the data transfer, and therefore they cannot provide an adequate basis for data transfers to the United States.

Recommended steps

Based on the above, the current developments require increased caution from all data controllers involved in international data transfers to the United States. The decision does not require immediate direct action; rather, it calls for a review of internal processes and appropriate risk management:

a comprehensive review of internal procedures governing data transfers;

updating data transfer impact assessments;

assessing whether it is necessary to implement additional technical measures, including, for example, the use of encryption;

identifying alternative data processing solutions.

Summary

It can therefore be concluded that the adequacy of the Framework is not clear; however, the Framework itself remains in effect until the Commission repeals it or the Court of Justice of the European Union annuls it. Consequently, the Decision does not currently have a direct impact on EU data controllers. However, companies are advised to review their practices regarding data transfers to the United States and, if necessary, prepare to implement alternative solutions.

Photo source: pexels.com, Mark Stebnicki

Uncertainty Surrounding U.S. Data Transfers: What to expect following the Trump v. Slaughter decision Read More »

Reinterpreted Restrictive Covenant!

The supreme court has confirmed that it is not possible to incorporate the consideration for non-compete into the monthly wages even in the labour contract with the executive employees. The common practice is that the employees are required to notify the employer on the data of their a new employer.

Now according to the decision of the supreme court, breach of the notification undertaking shall not be penalised, only breach of the restrictive covenant. This surprising decision would significantly reduce the employers ability to check the fulfilment of this undertaking, because they do not become aware or only by accident if their former employee works for their competitor if there is no sanction for non-reporting. The labour code but it is a contract governed by the Civil Code which basically based on the principle of the parties’ freedom to freely determine their agreement in the absence of expressly prohibited provision, and the Civil Code does not prohibit the imposition of a penalty for breaching of notification obligation. It seems that the courts leave less room for the Hungarian employers in their civil law

Reinterpreted Restrictive Covenant! Read More »

CLVPartners
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.