WSGR logoWSGR logo
WSGR logo
  • Experience
  • People
  • Insights
  • About Us
  • Careers

  • Practice Areas
  • Industries

  • Corporate
  • Intellectual Property
  • Litigation
  • Patents and Innovations
  • Regulatory
  • Technology Transactions

  • Capital Markets
  • Corporate Governance
  • Corporate Life Sciences
  • Derivatives
  • Emerging Companies and Venture Capital
  • Employee Benefits and Compensation
  • Energy and Climate Solutions
  • Executive Advisory Program
  • Finance and Structured Finance
  • Fund Formation
  • Greater China
  • Mergers & Acquisitions
  • Private Equity
  • Public Company Representation
  • Real Estate
  • Restructuring
  • Shareholder Engagement and Activism
  • Tax
  • U.S. Expansion

  • Special Purpose Acquisition Companies (SPACs)

  • Environmental, Social, and Governance

  • AI and Data Center Infrastructure
  • Energy Regulation and Competition
  • Project Development and M&A
  • Project Finance and Tax Credit Transactions
  • Sustainability and Decarbonization
  • Transportation Electrification

  • U.S. Expansion Library and Resources

  • Post-Grant Review
  • Trademark and Advertising

  • Antitrust Litigation
  • Arbitration
  • Board and Internal Investigations
  • Class Action Litigation
  • Commercial Litigation
  • Consumer Litigation
  • Corporate Governance Litigation
  • Employment Litigation
  • Government Investigations
  • Internet Strategy and Litigation
  • Patent Litigation
  • Securities Litigation
  • State Attorneys General
  • Supreme Court and Appellate Practice
  • Trade Secret Litigation
  • Trademark and Copyright Litigation
  • Trial
  • White Collar Crime

  • Advertising, Promotions, and Marketing
  • Antitrust and Competition
  • Committee on Foreign Investment in the U.S. (CFIUS)
  • Communications
  • Data, Privacy, and Cybersecurity
  • Export Control and Sanctions
  • FCPA and Anti-Corruption
  • FDA Regulatory, Healthcare, and Consumer Products
  • Federal Trade Commission
  • Fintech and Financial Services
  • Government Contracts
  • National Security and Trade
  • Payments
  • State Attorneys General
  • Strategic Risk and Crisis Management
  • Tariffs, Customs, and Import Compliance

  • Antitrust and Intellectual Property
  • Antitrust Civil Enforcement
  • Antitrust Compliance and Business Strategy
  • Antitrust Criminal Enforcement
  • Antitrust Litigation
  • Antitrust Merger Clearance
  • European Competition Law
  • Third-Party Merger and Non-Merger Antitrust Representation

  • Anti-Money Laundering
  • Foreign Ownership, Control, or Influence (FOCI)
  • Team Telecom

  • AI in Healthcare
  • Animal Health
  • Artificial Intelligence and Machine Learning
  • Aviation
  • Biotech
  • Blockchain and Cryptocurrency
  • Clean Energy
  • Climate and Clean Technologies
  • Communications and Networking
  • Consumer Products and Services
  • Data Storage and Cloud
  • Defense Tech
  • Diagnostics, Life Science Tools, and Deep Tech
  • Digital Health
  • Digital Media and Entertainment
  • Electronic Gaming
  • Fintech and Financial Services
  • FoodTech and AgTech
  • Global Generics
  • Internet
  • Life Sciences
  • Medical Devices
  • Mobile Devices
  • Mobility
  • NewSpace
  • Quantum Computing
  • Semiconductors
  • Software

  • Offices
  • Country Desks
  • Events
  • Community
  • Our Diversity
  • Sustainability
  • Our Values
  • Board of Directors
  • Management Team

  • Austin
  • Boston
  • Boulder
  • Brussels
  • Century City
  • Hong Kong
  • London
  • Los Angeles
  • New York
  • Palo Alto
  • Salt Lake City
  • San Diego
  • San Francisco
  • Seattle
  • Shanghai
  • Washington, D.C.
  • Wilmington, DE

  • Law Students
  • Judicial Clerks
  • Experienced Attorneys
  • Patent Agents
  • Business Professionals
  • Alternative Legal Careers
  • Contact Recruiting
SCOTUS Ruling Calls into Question EU-U.S. Personal Data Flows
Alerts
July 8, 2026

On June 29, 2026, the Supreme Court of the U.S. (SCOTUS) held in Trump v. Slaughter that the U.S. President can dismiss members of the Federal Trade Commission (FTC) at will, rather than only for cause, overruling existing precedent regarding independent agencies. This decision of domestic constitutional law could also change the rules governing transfer of personal data from the European Economic Area (EEA, which includes the 27 European Union countries plus Iceland, Liechtenstein, and Norway) to the U.S.

The EU-U.S. Data Privacy Framework (DPF) relies on the FTC providing independent oversight of participating organizations’ compliance with the DPF. As a result, the DPF is likely to face renewed challenges. After the Slaughter decision, a spokesperson for the European Commission (EC) indicated that the EC has “taken note” of the opinion and “will now carefully analyze any implications it may have for the EU-U.S. agenda.” And a leading European privacy activist, Max Schrems, has declared that “the basis for any EU-U.S. data transfer deal is dead.” Against this backdrop, the EC could decide to exercise its powers to suspend or repeal the DPF, or EU courts may decide to invalidate it. The ruling may also impact the legal landscape for transfers based on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), as the FTC’s diminished independence may need to be taken into account when conducting data transfer impact assessments (DTIA).

Background

The EU General Data Protection Regulation (GDPR) prohibits the transfer of personal data outside the EEA unless there is a legal basis for the transfer, which generally means that it is covered by an adequacy decision or the transferring company is able to rely on another valid data transfer mechanism, such as SCCs or BCRs. An adequacy decision is adopted by the EC and recognizes that a non-EEA country (or specific organizations within a non-EEA country) ensures an adequate level of protection, allowing personal data to flow freely from the EEA to the relevant organizations located in that country.

The DPF is one such adequacy decision. It enables U.S. organizations that self-certify to the framework to import personal data from the EEA into the U.S., without having to rely on another data transfer mechanism. The main authority enforcing participating organizations' compliance with the DPF Principles is the FTC.

The validity of the DPF has been challenged but upheld by the EU General Court (see here), although an appeal of that judgment before the full Court of Justice of the EU (CJEU) is pending. The two predecessors of the DPF, the Safe Harbor and Privacy Shield arrangements, were both invalidated by the CJEU in the landmark Schrems I and Schrems II rulings, illustrating that the CJEU has not hesitated to invalidate transatlantic data transfer frameworks in the past.

The SCOTUS Ruling and Its Implications

The key facts, the SCOTUS’ ruling, and the implications for EU-U.S. personal data transfers are summarized below.

  1. Facts. In March 2025, President Trump removed the FTC’s two Democratic Commissioners, Rebecca Slaughter and Alvaro Bedoya. In his removal notice to one of them, President Trump indicated that the Commissioners were removed because their continued service was inconsistent with his Administration’s priorities—not for a specific cause. Slaughter brought a lawsuit against her removal, citing the for-cause removal protections established in Humphrey’s Executor v. United States, a SCOTUS decision from 1935, which held that the President could only fire an FTC Commissioner for cause. Bedoya was originally a party to the lawsuit, but his claim was dropped when he voluntarily resigned.
  2. Ruling. SCOTUS held that the for-cause removal protections violated the separation of powers under the U.S. Constitution and that President Trump could lawfully remove Commissioners at will. Leaving in no doubt of the President’s authority to remove the Commissioner at-will, SCOTUS explicitly overruled the 90-year precedent of Humphrey’s Executor.
  3. Impact on EU-U.S. personal data flows. The ruling may have a significant impact for companies transferring EEA personal data to the U.S.
    1. Impact on transfers based on the DPF. The DPF’s validity in EU law depends, among other things, on the FTC acting as an independent enforcement authority. If the FTC is deemed insufficiently independent by the EC, a core assumption underpinning the DPF adequacy decision has materially changed, increasing the likelihood of renewed scrutiny. On the one hand, the EC could decide to suspend or repeal the DPF adequacy decision, though this remains unlikely in the current geopolitical context. On the other hand, privacy advocacy groups such as the NGO None of Your Business (NOYB) have already signaled their intent to pursue an action to have the CJEU invalidate the DPF adequacy decision, which could lead to a “Schrems III” ruling in the future. This would be in addition to the pending CJEU appeal regarding its annulment mentioned above. If the DPF is invalidated, companies would no longer be able to rely on it to transfer EEA personal data to the U.S. In such a case, they would need to quickly switch to alternative data transfer mechanisms, such as SCCs or BCRs.
    2. Impact on transfers based on SCCs and BCRs. The implications may extend beyond the DPF. Companies transferring personal data outside the EEA must assess, as part of their DTIAs, whether the laws and practices of the recipient country ensure an appropriate level of protection for personal data and whether they need to implement any supplementary measures. So far, companies transferring personal data to the U.S. have generally carried out these assessments on the assumption that the FTC operates as an independent regulator enforcing relevant privacy laws against the U.S.-based recipients of EEA personal data. Given questions about whether the FTC’s independence has been diminished, companies should consider assessing whether this ruling impacts their current DTIAs and data transfer strategy

What Should Companies Do Now?

While the DPF adequacy decision remains valid for the time being, companies that routinely transfer EEA personal data to the U.S. should assess their data transfer strategy. For transfers relying on the DPF, companies could consider taking a belt-and-suspenders approach by implementing SCCs or BCRs in addition to the DPF. For transfers relying on SCCs and BCRs, companies should consider assessing the impact of this ruling and whether the level of protection for EEA personal data remains appropriate. Beyond these practical steps, it is largely a wait-and-see situation, with the EC, the EU courts, and privacy advocacy groups likely to shape the future of the DPF in the months and years ahead.

Wilson Sonsini's Data, Privacy, and Cybersecurity practice advises companies on the full range of transatlantic data-transfer mechanisms and is closely monitoring the developments related to the Slaughter ruling. We can help you assess your exposure, revisit transfer-impact assessments, implement SCCs or supplementary safeguards, and build a contingency plan calibrated to your data flows.

For more information or if you have any questions regarding data transfers, please contact Laura De Boel, Cédric Burton, Yann Padova, or Nikolaos Theodorakis from Wilson Sonsini’s Data, Privacy, and Cybersecurity practice.

Rossana Fol, Olga Kosno, and Hugh Ó Laoide Kelly contributed to the preparation of this alert.

Contributors

  • Cédric Burton
  • Maneesha Mithal
  • Christopher N. Olsen
  • Rossana Fol
  • Olga Kosno
  • people
  • insights
  • about us
  • careers
  • Binder
  • Alumni
  • Mailing List Signup
  • Client FTP Portal
  • Privacy Policy
  • Terms of Use
  • Accessibility
WSGR logo
Twitter
LinkedIn
Facebook
Instagram
Youtube
Copyright © 2026 Wilson Sonsini Goodrich & Rosati. All Rights Reserved.