RSS

US Supreme Court Just Blew Up EU-US Data Transfers

tomwas541 pts0 comments

US Supreme Court just blew up EU-US Data Transfers

Skip to main content

en

de

bg

cs

el

es

fi

fr

hu

it

nl

pl

sk

US Supreme Court just blew up EU-US Data Transfers

Data Transfers

29 June 2026

On Monday, the US Supreme Court decided in Trump v. Slaughter that the US Federal Trade Commission (“FTC”) may not be independent anymore. Since 2000 the EU has relied on the “independent” FTC as the enforcer of EU-US deals on personal data. According to EU treaty law such oversight must be independent. In the current EU-US deal, the European Commission relies on the independent FTC 259 (!) times. Max Schrems: “ Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US .”

Commission Implementing Decision EU 2023/1795 on the EU-US Data Privacy Framework (EUR-Lex)<br>US Supreme Court Decision in Trump v. Slaughter<br>noyb Letter to the European Commission<br>The EU-US Data Privacy Framework. Since 1995 the EU generally prohibits the export of personal data to third countries, to ensure that EU privacy rules cannot be evaded by simply sending data abroad. While there are exceptions for necessary transfers ranging from anything like booking a hotel to complex transactions, many EU companies simply outsourced the processing of personal data to US cloud providers. Since 2000 the European Commission has repeatedly accepted that the US is an “adequate” country when it comes to the protection of personal data – allowing free data flows between the EU and the US. The European Court of Justice (CJEU) annulled the two previous decisions of the Commission in the so-called “Schrems I” decision (killing “Safe Harbour”) and “Schrems II” decision (killing the “Privacy Shield”), because of US Surveillance Laws and the lack of judicial remedies in the US. Nevertheless, the European Commission issued a third EU-US deal in 2023 called the “EU-US Data Privacy Framework”, which was largely a copy/paste of the previously annulled deals.<br>EU requirement for an independent DPA. EU treaty law (so the EU “constitutional” framework), namely Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights, requires that the oversight over data protection matters must be done by an “independent” authority. Because third countries must have “essentially equivalent” protections, it is necessary that any third country that wants to enjoy free flow of personal data from the EU also affords such protections. So far, the US has appointed the “independent” FTC to be the US privacy regulator to meet the EU need for independent oversight. The EU in turn has relied on the FTC a whopping 259 (!) times in it’s EU-US data flow decision.<br>Max Schrems: “Crucially the EU constitutional framework requires independent oversight. The only way to change this would be a unanimous vote by all EU Member States to change the EU treaties.”<br>The requirement for an independent Court. Furthermore, the CJEU also highlighted that the US would need to provide an independent legal redress mechanism in matters of government surveillance. Because the US was unable to pass relevant legislation, the Biden Administration created a “Data Protection Review Court”. While it is called a “Court” it is in fact an executive body within the US Justice Ministry. It is only “independent” via an Executive Order (EO) by former President Biden that can be changed by Trump any moment and is not binding on the President.<br>The “Slaughter” Decision: Unitary (Trump) Executive. In a 180° turn from the case law, the conservative majority on the US Supreme Court has now decided that the independence of the FTC is unconstitutional. This follows a “unitary” theory, that the US President must have power over all US executive bodies and declared all US laws that make various agencies independent to be unconstitutional. Given that the EU in almost all cases relied on the “independence” of the FTC as a privacy watchdog, the entire structure of the EU-US Data Privacy Framework has just collapsed.<br>Max Schrems: “Even in the logic of the European Commission, the basis for any EU-US data transfer deal is dead. We call upon the Commission to start an orderly exit from the US cloud – which is not easy, but unfortunately unavoidable. The Commission built a legal house of cards under industry pressure, now that it clearly collapses it has to take responsibility.”<br>Impact not unlimited. Even if all the underpinning of the EU decision is gone, the European Commission Decision is formally in force until either the European Commission repeals it or the Court of Justice annuls it. There is hence no immanent effect. The GDPR also only regulated the transfer of personal data. Non-personal data can flow freely. Furthermore, Article 49 GDPR allows necessary data transfers to any third country. It does however not allow to structurally offshore data from the EU, if this is not strictly necessary.<br>SCCs and BCRs also...

data independent commission court european decision

Related Articles

(no title)

Risse50 ptstitle

Is AI ruining our skills? Early results are in – and they're not good

Michelangelo1124 ptstools skills during physicians colonoscopies tool

The Anatomy of an AI-Native Org

kiyanwang22 ptstranslated managers business translation language engineering

Apertus – Open Foundation Model for Sovereign AI

T-A16 ptsopen model apertus foundation sovereign fully

Italy's Meloni says Trump 'made up' story that she 'begged' him for photo at G7

root-parent13 ptsmeloni trump italy said italian begged
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.