On June 29, 2026, the Supreme Court of the U.S. (SCOTUS) held in Trump v. Slaughter that the U.S. President can dismiss members of the Federal Trade Commission (FTC) at will, rather than only for cause, overruling existing precedent regarding independent agencies. This decision of domestic constitutional law could also change the rules governing transfer of personal data from the European Economic Area (EEA, which includes the 27 European Union countries plus Iceland, Liechtenstein, and Norway) to the U.S.
The EU-U.S. Data Privacy Framework (DPF) relies on the FTC providing independent oversight of participating organizations’ compliance with the DPF. As a result, the DPF is likely to face renewed challenges. After the Slaughter decision, a spokesperson for the European Commission (EC) indicated that the EC has “taken note” of the opinion and “will now carefully analyze any implications it may have for the EU-U.S. agenda.” And a leading European privacy activist, Max Schrems, has declared that “the basis for any EU-U.S. data transfer deal is dead.” Against this backdrop, the EC could decide to exercise its powers to suspend or repeal the DPF, or EU courts may decide to invalidate it. The ruling may also impact the legal landscape for transfers based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), as the FTC’s diminished independence may need to be taken into account when conducting data transfer impact assessments (DTIA).
Background
The EU General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside the EEA unless there is a legal basis for the transfer, which generally means that it is covered by an adequacy decision or the transferring company is able to rely on another valid data transfer mechanism, such as SCCs or BCRs. An adequacy decision is adopted by the EC and recognizes that a non-EEA country (or specific organizations within a non-EEA country) ensures an adequate level of protection, allowing personal data to flow freely from the EEA to the relevant organizations located in that country.
The DPF is one such adequacy decision. It enables U.S. organizations that self-certify to the framework to import personal data from the EEA into the U.S., without having to rely on another data transfer mechanism. The main authority enforcing participating organizations' compliance with the DPF Principles is the FTC.
The validity of the DPF has been challenged but upheld by the EU General Court (see here), although an appeal of that judgment before the full Court of Justice of the EU (CJEU) is pending. The two predecessors of the DPF, the Safe Harbor and Privacy Shield arrangements, were both invalidated by the CJEU in the landmark Schrems I and Schrems II rulings, illustrating that the CJEU has not hesitated to invalidate transatlantic data transfer frameworks in the past.
The SCOTUS Ruling and Its Implications
The key facts, the SCOTUS’ ruling, and the implications for EU-U.S. personal data transfers are summarized below.
What Should Companies Do Now?
While the DPF adequacy decision remains valid for the time being, companies that routinely transfer EEA personal data to the U.S. should assess their data transfer strategy. For transfers relying on the DPF, companies could consider taking a belt-and-suspenders approach by implementing SCCs or BCRs in addition to the DPF. For transfers relying on SCCs and BCRs, companies should consider assessing the impact of this ruling and whether the level of protection for EEA personal data remains appropriate. Beyond these practical steps, it is largely a wait-and-see situation, with the EC, the EU courts, and privacy advocacy groups likely to shape the future of the DPF in the months and years ahead.
Wilson Sonsini's Data, Privacy, and Cybersecurity practice advises companies on the full range of transatlantic data-transfer mechanisms and is closely monitoring the developments related to the Slaughter ruling. We can help you assess your exposure, revisit transfer-impact assessments, implement SCCs or supplementary safeguards, and build a contingency plan calibrated to your data flows.
For more information or if you have any questions regarding data transfers, please contact Laura De Boel, Cédric Burton, Yann Padova, or Nikolaos Theodorakis from Wilson Sonsini’s Data, Privacy, and Cybersecurity practice.
Rossana Fol, Olga Kosno, and Hugh Ó Laoide Kelly contributed to the preparation of this alert.