
Trump v Slaughter: Could the Latest US Supreme Court Decision Destabilise the EU-US Data Transfer Regime?
A recent US Supreme Court judgment may have introduced an unexpected new source of uncertainty for organisations transferring personal data from the EU and UK to the United States.
On 29 June 2026, the US Supreme Court issued its ruling in Trump v Slaughter, holding that the Federal Trade Commission (FTC) cannot operate independently of Presidential control. At first glance, the case appears to be a constitutional dispute about the scope of executive authority in the United States. In practice, however, it could have significant implications for the legal framework underpinning EU-US personal data transfers.
Why does this matter?
The current EU-US Data Privacy Framework (DPF), adopted by the European Commission in 2023, is a central mechanism that permits the transfer of personal data from the EU to certified US organisations without additional transfer safeguards such as the SCCs. A UK extension allows UK organisations to take advantage of the DPF too, provided that the US recipient is registered with the extension as well as the core DPF.
The DPF itself emerged following the collapse of two previous arrangements, Safe Harbour and Privacy Shield, both of which were invalidated by the Court of Justice of the European Union (CJEU) following concerns about US surveillance powers and the protections available to EU individuals.
The latest framework therefore rests on foundations that have already been tested twice before.
A key element of any EU adequacy decision is the existence of effective and independent supervision. In assessing the DPF, the European Commission placed significant weight on the FTC's role as the principal regulator responsible for enforcing participating organisations' privacy commitments. The Commission also relied on the Data Protection Review Court (DPRC) as an independent avenue of redress for EU individuals affected by US intelligence-gathering activities.
What did the Supreme Court decide?
The dispute arose after President Trump removed FTC Commissioner Rebecca Slaughter from office. Ms Slaughter challenged that decision, arguing that the FTC was designed to operate independently of the Executive Branch.
The Supreme Court disagreed. In doing so, it substantially altered the accepted understanding of the FTC's constitutional position, concluding that the agency cannot be insulated from Presidential control in the way previously assumed.
The result is that the FTC's independence, a feature that formed part of the European Commission's assessment when adopting the DPF, has been brought into question.
What does this mean for the DPF?
For the time being, there are no immediate changes from a legal compliance perspective. The DPF remains valid and organisations can continue relying on it in exactly the same way as they did before the judgment.
That said, the decision may create fresh grounds for challenging the adequacy decision underpinning the framework. If one of the central safeguards relied upon by the Commission no longer operates in the manner originally anticipated, questions inevitably arise as to whether the adequacy assessment remains sustainable in the longer term.
While no immediate regulatory action has been taken, organisations that are heavily dependent on the DPF may wish to revisit their transfer strategies and understand the alternatives available should the position evolve.
The prospect of a third Schrems challenge
Max Schrems and his privacy advocacy group, none of your business ("noyb"), have already responded to the judgment by urging the Commission to withdraw the DPF. They have also indicated that preparations are underway for a fresh legal challenge before the CJEU.
However, noyb's position is notable for another reason. Rather than advocating for an abrupt invalidation of the framework, it has called for a managed transition that avoids the disruption experienced following the demise of Safe Harbour and Privacy Shield. The concern is that another sudden collapse of the transfer regime could leave thousands of organisations scrambling to implement alternative safeguards at short notice.
Practical considerations for businesses
The appropriate response will depend on the transfer mechanism currently being used:
Organisations relying on the DPF
The DPF remains a valid transfer mechanism for both EU organisations and those in the UK where the recipient is opted into the UK extension; there is no requirement to stop relying on it. Nevertheless, businesses should consider identifying the processing activities that depend on the framework and assessing what alternatives would be available if its status were challenged successfully. For some organisations, this may also be an appropriate opportunity to revisit data localisation strategies or the use of EU-based hosting arrangements.
Organisations relying on Standard Contractual Clauses (SCCs)
The Supreme Court's decision does not directly affect SCCs (including the UK’s International Data Transfer Agreement and the UK Addendum to the EU SCCs) and organisations that retain SCCs alongside the DPF as a fallback mechanism are better placed to absorb any future disruption to the adequacy framework.
However, businesses should consider whether their Transfer Impact Assessments (TIAs) accurately reflect the current US legal landscape. Where TIAs refer to regulatory oversight mechanisms or independence safeguards that may now be subject to greater scrutiny, updates may be appropriate.
All organisations
History suggests that predictions of an immediate halt to US data transfers are often overstated. Following the invalidation of both Safe Harbour and Privacy Shield, data flows generally continued and businesses ultimately adapted to the changing regulatory environment.
Even so, organisations should ensure that their transfer records remain up to date, TIAs are regularly reviewed and alternative transfer mechanisms can be deployed if needed. Maintaining that level of preparedness remains the most effective way to manage legal uncertainty, regardless of how developments unfold.
TLT's Data Privacy and Cybersecurity team is advising clients on all aspects of this issue. Please do get in touch if you would like to discuss the implications for your business.
This publication is intended for general guidance and represents our understanding of the relevant law and practice as at July 2026. Specific advice should be sought for specific cases. For more information see our terms & conditions.
Get in touch
Get in touch
Insights & events

Trump v Slaughter: Could the latest US Supreme Court decision destabilise the EU-US data transfer regime?

Cyber Security and Resilience Bill Explained | TLT

AI and the future of payments: Five Big Questions with Dave Gardner

Agentic AI and Data - Five big questions with Emma Erskine-Fox

Managing the hidden cyber security risks within your supply chain

What's mine is yours: when information is held on behalf of another under FOIA

Emerging approaches to the regulation and enforcement of AI use
Fortifying defences: ICO publishes new report on common information security mistakes and pitfalls

Employee monitoring - recent developments and enforcement decisions
Auctioning of personal data for advertising purposes: CJEU confirms rules under the GDPR
Biometric data and the impact of the ICO's latest Enforcement Notice

The results are in... The European Data Protection Board's report on the role of Data Protection Officers

Retail Agility: Navigating the AI frontier in retail

Impact of flexible working on towns and cities - the market and legal considerations

Plugging into electric vehicle opportunities | Whitepaper
TLT shortlisted for two awards at the PICCASO Privacy Awards Europe 2023

TLT hires data protection and financial services specialist as partner

TLT partner nominated for top prize at the PICCASO Privacy Awards
TLT Partner Appointed Chair of North West Fraud Forum | TLT

TLT Shortlisted for Firm of the Year at Scottish Legal Awards | TLT

TLT Wins Law Firm of the Year at Manchester Legal Awards | TLT

TLT Recognised for Two Awards at The Lawyer Awards 2022 | TLT

TLT Shortlisted for Two Manchester Legal Awards 2022 | TLT

TLT enhances public sector offering with partner hire

Retail IT systems straining to keep pace with heightened demand

A quarter of retailers say data and analytics isn't important to their business

TLT appointed to sports and arts legal services panel

Claire Graham joins board of North West Fraud Forum

TLT launches Intelligent Drafting solution powered by Clarilis

TLT continues to build data team with senior hire in London




%20%C3%94%C3%87%C3%B4%20790px%20X%20451px%2072ppi34.jpg)
%20%C3%94%C3%87%C3%B4%20790px%20X%20451px%2072ppi6.jpg)






%20%C3%94%C3%87%C3%B4%20790px%20X%20451px%2072ppi13.jpg)














