Trump v Slaughter: Could the Latest US Supreme Court Decision Destabilise the EU-US Data Transfer Regime?

A recent US Supreme Court judgment may have introduced an unexpected new source of uncertainty for organisations transferring personal data from the EU and UK to the United States.

On 29 June 2026, the US Supreme Court issued its ruling in Trump v Slaughter, holding that the Federal Trade Commission (FTC) cannot operate independently of Presidential control. At first glance, the case appears to be a constitutional dispute about the scope of executive authority in the United States. In practice, however, it could have significant implications for the legal framework underpinning EU-US personal data transfers.

Why does this matter?

The current EU-US Data Privacy Framework (DPF), adopted by the European Commission in 2023, is a central mechanism that permits the transfer of personal data from the EU to certified US organisations without additional transfer safeguards such as the SCCs. A UK extension allows UK organisations to take advantage of the DPF too, provided that the US recipient is registered with the extension as well as the core DPF.

The DPF itself emerged following the collapse of two previous arrangements, Safe Harbour and Privacy Shield, both of which were invalidated by the Court of Justice of the European Union (CJEU) following concerns about US surveillance powers and the protections available to EU individuals.

The latest framework therefore rests on foundations that have already been tested twice before.

A key element of any EU adequacy decision is the existence of effective and independent supervision. In assessing the DPF, the European Commission placed significant weight on the FTC's role as the principal regulator responsible for enforcing participating organisations' privacy commitments. The Commission also relied on the Data Protection Review Court (DPRC) as an independent avenue of redress for EU individuals affected by US intelligence-gathering activities.

What did the Supreme Court decide?

The dispute arose after President Trump removed FTC Commissioner Rebecca Slaughter from office. Ms Slaughter challenged that decision, arguing that the FTC was designed to operate independently of the Executive Branch.

The Supreme Court disagreed. In doing so, it substantially altered the accepted understanding of the FTC's constitutional position, concluding that the agency cannot be insulated from Presidential control in the way previously assumed.

The result is that the FTC's independence, a feature that formed part of the European Commission's assessment when adopting the DPF, has been brought into question.  

What does this mean for the DPF?

For the time being, there are no immediate changes from a legal compliance perspective. The DPF remains valid and organisations can continue relying on it in exactly the same way as they did before the judgment.

That said, the decision may create fresh grounds for challenging the adequacy decision underpinning the framework. If one of the central safeguards relied upon by the Commission no longer operates in the manner originally anticipated, questions inevitably arise as to whether the adequacy assessment remains sustainable in the longer term.

While no immediate regulatory action has been taken, organisations that are heavily dependent on the DPF may wish to revisit their transfer strategies and understand the alternatives available should the position evolve.

The prospect of a third Schrems challenge

Max Schrems and his privacy advocacy group, none of your business ("noyb"), have already responded to the judgment by urging the Commission to withdraw the DPF. They have also indicated that preparations are underway for a fresh legal challenge before the CJEU.

However, noyb's position is notable for another reason. Rather than advocating for an abrupt invalidation of the framework, it has called for a managed transition that avoids the disruption experienced following the demise of Safe Harbour and Privacy Shield. The concern is that another sudden collapse of the transfer regime could leave thousands of organisations scrambling to implement alternative safeguards at short notice.

Practical considerations for businesses

The appropriate response will depend on the transfer mechanism currently being used:

Organisations relying on the DPF

The DPF remains a valid transfer mechanism for both EU organisations and those in the UK where the recipient is opted into the UK extension; there is no requirement to stop relying on it. Nevertheless, businesses should consider identifying the processing activities that depend on the framework and assessing what alternatives would be available if its status were challenged successfully. For some organisations, this may also be an appropriate opportunity to revisit data localisation strategies or the use of EU-based hosting arrangements.

Organisations relying on Standard Contractual Clauses (SCCs)

The Supreme Court's decision does not directly affect SCCs (including the UK’s International Data Transfer Agreement and the UK Addendum to the EU SCCs) and organisations that retain SCCs alongside the DPF as a fallback mechanism are better placed to absorb any future disruption to the adequacy framework.

However, businesses should consider whether their Transfer Impact Assessments (TIAs) accurately reflect the current US legal landscape. Where TIAs refer to regulatory oversight mechanisms or independence safeguards that may now be subject to greater scrutiny, updates may be appropriate.

All organisations

History suggests that predictions of an immediate halt to US data transfers are often overstated. Following the invalidation of both Safe Harbour and Privacy Shield, data flows generally continued and businesses ultimately adapted to the changing regulatory environment.

Even so, organisations should ensure that their transfer records remain up to date, TIAs are regularly reviewed and alternative transfer mechanisms can be deployed if needed. Maintaining that level of preparedness remains the most effective way to manage legal uncertainty, regardless of how developments unfold.

TLT's Data Privacy and Cybersecurity team is advising clients on all aspects of this issue. Please do get in touch if you would like to discuss the implications for your business.

This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2026. Specific advice should be sought for specific cases. For more information see our terms & conditions.

No items found.

No items found.

Written by
Christopher Cameron
Written by
Emma Erskine-Fox
Date published
08 Jul 2026

Abstract overlapping curved shapes in varying shades of violet and purple on a solid violet background.

Legal insights & events

Keep up to date on the issues that matter.

Abstract yellow background with overlapping translucent olive green curved shapes.

Follow us

Find us on social media

No items found.