US Supreme Court Trump v. Slaughter Decision Impacts EU-US Data Transfers

The Trump v. Slaughter Decision Invalidates US Privacy Oversight

The US Supreme Court has ruled in Trump v. Slaughter that the US Federal Trade Commission (FTC) may no longer operate as an independent agency. This decision is based on the "unitary executive theory," which asserts that the US President must have direct power over all executive bodies, rendering laws that establish agency independence unconstitutional.

This ruling fundamentally undermines the EU-US Data Privacy Framework because the European Commission relied on the FTC's independence as the primary enforcer of personal data deals. Specifically, the European Commission's adequacy decision for the US references the independent FTC 259 times as the mechanism for ensuring data protection.

EU Legal Requirements for Independent Oversight

Under EU treaty law—specifically Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights—the oversight of data protection must be conducted by an independent authority. For a third country to receive an "adequacy" decision allowing the free flow of personal data from the EU, it must provide protections that are "essentially equivalent" to those in the EU.

Because the US lacks a centralized independent data protection authority, it appointed the FTC to fulfill this role. With the Supreme Court ruling that the FTC is not independent, the legal foundation for the US to meet EU constitutional requirements has collapsed.

Impact on Data Transfer Mechanisms

While the EU-US Data Privacy Framework is the primary vehicle for data flows, the impact extends to other legal instruments used by companies to move data to the US:

EU-US Data Privacy Framework

The framework is formally in force until the European Commission repeals it or the Court of Justice of the European Union (CJEU) annuls it. However, the legal basis for the framework is now considered void by privacy advocates.

Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs)

Companies using SCCs or BCRs typically perform a Transfer Impact Assessment (TIA). These assessments often rely on the existence of independent US executive bodies, such as the Privacy and Civil Liberties Oversight Board (PCLOB) or the Data Protection Review Court. Because the Trump v. Slaughter decision affects the independence of these executive bodies, these transfer mechanisms are also legally precarious.

Exceptions and Non-Personal Data

• Non-personal data: This data can continue to flow freely between the EU and US.
• Article 49 GDPR: This allows for necessary data transfers to third countries for specific cases, but it does not permit the structural offshoring of EU data.

Redress Mechanisms and Government Surveillance

A critical component of the CJEU's previous rulings (Schrems I and Schrems II) was the requirement for an independent legal redress mechanism regarding government surveillance. To address this, the Biden Administration created the Data Protection Review Court.

However, this body is an executive entity within the US Justice Ministry and its independence is granted only via an Executive Order, which can be revoked by the President at any time. This lack of permanent, legislative independence further complicates the legal standing of US data protections.

Industry and Political Implications

Privacy advocacy group noyb has formally requested that the European Commission repeal the EU-US data deal to facilitate an orderly exit from US cloud services. The situation highlights a growing tension between EU privacy laws and US surveillance capabilities.

Community insights from technical discussions emphasize the practical difficulties of this transition:

"Switching to EU companies is often the solution, but also we're in a tricky position in Europe since alternatives exist but can't compete with US."

"Europa, the official web portal of the tech sovereign European Union, will have to change their CDN provider (Amazon's CloudFront)."

Critics argue that the EU has attempted to create data infrastructure through regulation rather than direct investment or bans, leaving many EU entities—including official government portals—dependent on US-based infrastructure like Amazon CloudFront for basic operations.