This summary is based on Axel Spies’s recent YouTube German interview discussing the U.S. Supreme Court's decision and its potential implications for the EU-U.S. Data Privacy Framework. The full interview is available here: https://www.youtube.com/watch?v=9XP0pFAcTxQ with automatic English translation.
The recent U.S. Supreme Court decision Trump v. Slaughter has raised new questions about the future of the EU-U.S. Data Privacy Framework (DPF), the mechanism that enables certified U.S. organizations to receive personal data from the European Union.
The decision concerns the President's authority to remove commissioners of the U.S. Federal Trade Commission (FTC). Because the FTC plays an enforcement role under the DPF, some privacy commentators and advocacy organizations have questioned whether the ruling could affect the European Commission's adequacy decision. The legal implications of the decision for the DPF continue to be debated. The key takeaway for U.S. organizations is that nothing changes immediately for the EU-US data flows. They may continue relying on existing data transfer mechanisms while monitoring future legal and political developments.
What Is the EU-U.S. Data Privacy Framework?
The EU-U.S. Data Privacy Framework (DPF) is an agreement between the European Union and the United States that allows, since 2023, U.S. organizations that self-certify under the framework to receive personal data from the EU without requiring additional transfer mechanisms for those transfers. The European Commission determined that certified organizations provide an "adequate" level of protection for EU personal data under Article 45 of the GDPR.
The DPF replaced the former Privacy Shield framework after the Court of Justice of the European Union (CJEU) invalidated it in 2020 in its Schrems II judgment. The European Commission is required to continuously monitor whether the United States in its operation of the DPF program continues to provide an adequate level of data protection under the GDPR and may review, amend, suspend, or repeal its adequacy decision if circumstances warrant.
What Did the US Supreme Court Decide?
The US Supreme Court ruled that the President has the constitutional authority to remove FTC commissioners. The decision addresses the constitutional status of so-called "independent agencies" and does not directly concern privacy law or international data transfers.
Because the European Commission referred to the FTC as an independent enforcement authority when adopting the DPF, some privacy advocates argue that the ruling could immediately affect the adequacy decision. Others believe the impact is limited because:
- The FTC continues to operate normally.
- New commissioners must still be confirmed by the U.S. Senate.
- The DPF is based on an assessment of the overall U.S. legal system, not solely on the FTC.
Another legal development to watch is litigation challenging the dismissal of certain members of the Privacy and Civil Liberties Oversight Board (PCLOB). The PCLOB is an independent federal oversight body that reviews U.S. counterterrorism and intelligence activities to help ensure that privacy and civil liberties are protected. The European Commission relied on the PCLOB as one of the oversight mechanisms supporting the DPF when it adopted its adequacy decision. The outcome of this litigation therefore may also be relevant to future assessments of the DPF. At present, however, this pending case does not affect the validity of the DPF or EU-U.S. data transfers. The adequacy decision also relies on the newly established Data Protection Review Court (DPRC), which hears certain complaints regarding U.S. signals intelligence activities. At present, there are no legal developments affecting the DPRC itself.
What Does This Mean for U.S. Companies Receiving EU Personal Data?
For U.S. businesses, there is no immediate operational impact.
- The DPF remains fully in force.
- Organizations certified under the DPF may continue relying on it.
- Companies relying on Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or, where applicable, one of the derogations under Article 49 GDPR (such as explicit consent), may continue doing so.
- There is no requirement to suspend or relocate EU-U.S. data transfers.
Although privacy advocacy groups have already called for renewed legal challenges to the DPF, any change would require additional legal and regulatory steps and would almost certainly take considerable time. Even if the DPF were eventually successfully challenged before the CJEU, history shows that cross-border data transfers do not stop overnight. Organizations typically transition to alternative legal mechanisms while regulators provide guidance.
Practical Recommendations
Organizations should avoid overreacting, but they should use this development as an opportunity to strengthen their compliance programs.
• Update Transfer Impact Assessments (TIA or DTIA).
Organizations relying on Standard Contractual Clauses should review and update their Transfer Impact Assessments to reflect the current U.S. legal landscape, including this recent Supreme Court decision and other relevant legal developments.
• Review contracts with U.S. data processors.
Review your Data Processing Agreements (DPAs) with with EU customers, business partners, and other data exporters. Consider whether they include a clause addressing the potential loss of the DPF and identify an alternative transfer mechanism if the DPF were successfully challenged or invalidated. Organizations should develop reasonable contingency plans without assuming that major changes are imminent.
• Adopt a "belt and suspenders" approach.
In addition to the DPF and the SCCs / BCR, organizations should evaluate whether other GDPR transfer tools—such as approved GDPR certification mechanisms or, where appropriate, the derogations under Article 49 GDPR—could provide additional resilience if the DPF were successfully challenged before the CJEU.
• Monitor legal and political developments.
Organizations should closely monitor developments that could affect future EU-U.S. data transfers, including:
- The ongoing review of the DPF by the European Commission;
- Litigation concerning the Privacy and Civil Liberties Oversight Board (PCLOB) and Data Privacy Review Court;
- Any future proceedings before the Court of Justice of the European Union (CJEU) challenging the DPF;
- Changes in the FTC's enforcement priorities regarding privacy and data protection;
- Broader political and regulatory developments in the US and EU affecting transatlantic data transfers.

