Editor’s Note: A removal-power ruling issued in Washington on June 29 reached Brussels within a day. The Supreme Court’s decision in Trump v. Slaughter overruled Humphrey’s Executor and eliminated the for-cause removal protections that anchored the FTC’s status as an independent regulator, and noyb answered with a same-day public demand, then a formal letter dated June 30, calling on the European Commission to withdraw the EU-U.S. Data Privacy Framework adequacy decision and promising litigation practitioners are already describing as a potential Schrems III.

For cybersecurity, data privacy, regulatory compliance and eDiscovery professionals, this may be the most consequential cross-border transfer development since Schrems II. Every transfer impact assessment that cites FTC, PCLOB or DPRC independence carries a June 29 asterisk, and the exposure runs past the framework itself into SCCs and BCRs that anchor review platforms, cloud hosting and managed services.

Watch four fronts in the months ahead: the Commission’s formal assessment, the EDPB’s review of the framework’s oversight mechanisms, the pending Latombe appeal at the CJEU, and the noyb annulment filing promised within weeks. Teams that inventory transfer dependencies and document reassessments now will be better positioned if Brussels or the CJEU later changes the framework’s legal status.


Content Assessment: Supreme Court FTC ruling puts new pressure on EU-U.S. data transfers

Information - 94%
Insight - 93%
Relevance - 93%
Objectivity - 94%
Authority - 92%

93%

Excellent

A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article from ComplexDiscovery OÜ titled, "Supreme Court FTC ruling puts new pressure on EU-U.S. data transfers."


Industry News – Data Privacy and Protection Beat

Supreme Court FTC ruling puts new pressure on EU-U.S. data transfers

ComplexDiscovery Staff

The U.S. Supreme Court sharply curtailed statutory protections for independent agencies June 29, and privacy advocates quickly argued that the ruling weakens a legal pillar of transatlantic data flows. The group that helped topple two earlier EU-US transfer arrangements is now asking Brussels to withdraw the third.

The 6-3 decision in Trump v. Slaughter held that statutory protections shielding Federal Trade Commission (FTC) members from removal without cause violate the Constitution’s separation of powers, overruling the 1935 precedent Humphrey’s Executor v. United States. The Vienna-based privacy group noyb announced its response the same day and followed with a formal letter, dated June 30, asking the European Commission to withdraw its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). It also announced plans to file an annulment action at the Court of Justice of the European Union (CJEU) within weeks. Privacy practitioners are already describing the promised litigation as a potential “Schrems III.”

Inside the ruling that curtailed agency independence

Chief Justice John Roberts, writing for the majority, framed the question as one of presidential control over the executive branch. “We hold that such protection from removal is contrary to the separation of powers enshrined in the Constitution,” Roberts wrote. The case arose after President Donald Trump fired FTC Commissioners Rebecca Slaughter and Alvaro Bedoya in March 2025 without citing the statutory grounds of “inefficiency, neglect of duty, or malfeasance in office” required under the FTC Act.

Justice Sonia Sotomayor dissented, joined by Justices Elena Kagan and Ketanji Brown Jackson. The majority carved out one notable exception, reiterating that the Federal Reserve may stand on different constitutional footing because of its distinct historical tradition.

Erwin Chemerinsky, dean of the University of California, Berkeley School of Law, said “agency independence is now gone” as a result of the ruling, according to Reuters. He said he expects agencies, like cabinet departments, to do what the president wants.

Why an American removal case reaches into Brussels

The constitutional ruling says nothing about privacy, the General Data Protection Regulation (GDPR) or cross-border data transfers. Its collision with European law is structural. The European Commission’s 2023 adequacy decision for the DPF rests in part on the FTC’s role as an independent enforcement authority for U.S. companies that certify under the framework. According to noyb’s count, the adequacy decision references the FTC 259 times.

EU treaty law raises the stakes. Article 16(2) of the Treaty on the Functioning of the European Union and Article 8(3) of the Charter of Fundamental Rights require that compliance with data protection rules be subject to control by an independent authority, and the CJEU has required “essentially equivalent” protection from countries receiving EU personal data.

“Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US,” said Max Schrems, the Austrian lawyer and noyb founder whose earlier challenges brought down the Safe Harbor arrangement in 2015 and the Privacy Shield in 2020. “The Commission built a legal house of cards under industry pressure. Now that it clearly collapses, it has to take responsibility,” he said.



Brussels weighs its response as the framework holds, for now

As of July 7, the DPF remains formally in force, and U.S. organizations certified under it remain eligible to receive covered transfers of EU personal data. Only the Commission can repeal its own adequacy decision, and only the CJEU can annul it. A European Commission spokesperson said the Commission will assess whether the ruling could affect the framework’s validity, will remain in close contact with the U.S. administration, and said the GDPR provides tools to respond if the adequacy decision no longer ensures sufficient protection, according to Bloomberg Law.

The framework has survived one court test already. The EU General Court dismissed a challenge brought by French lawmaker Philippe Latombe on Sept. 3, 2025, finding the U.S. redress system sufficiently independent at that time. Latombe appealed to the CJEU on Oct. 31, 2025, and that appeal was pending when Trump v. Slaughter came down, giving Europe’s top court a live vehicle to weigh the changed American facts even before noyb files.

The European Data Protection Board, which groups Europe’s national privacy regulators, said it is reviewing the decision’s potential implications for the oversight mechanisms behind the framework, describing their independence as central to its legitimacy, according to The Record. The board cannot repeal the adequacy decision, but its views carry weight with the Commission and national authorities.

For its part, noyb described litigation as a last resort in its June 30 letter, urging an orderly repeal with reasonable transition periods to avoid what it called a “compliance cliff” of the kind that followed the Schrems I and Schrems II rulings. Market adaptation is already underway: several EU member states have moved toward digital sovereignty strategies that reduce reliance on U.S. providers, and some U.S. service providers now offer separate EU data processing arrangements, according to noyb.

SCCs and BCRs offer no automatic shelter

Companies tempted to treat this as a framework-only problem should look closer. Standard contractual clauses (SCCs) and binding corporate rules (BCRs), the fallback mechanisms most multinationals adopted after Schrems II, require transfer impact assessments that evaluate the law and practice of the destination country. Those assessments commonly cite the FTC, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Data Protection Review Court (DPRC) as oversight safeguards.

Each pillar now faces a new independence question. Trump removed PCLOB members in January 2025, leaving the board without a quorum, according to noyb. The DPRC, despite its name, is an executive body within the Department of Justice created under Executive Order 14086, an instrument the president can amend or revoke. And the FTC’s statutory removal protection, one of the load-bearing independence assumptions, is now constitutionally foreclosed for commissioners exercising executive power. In noyb’s assessment, companies relying on SCCs and BCRs must update their transfer impact assessments immediately, and an honest update points toward transfers no longer being lawful.

What eDiscovery and governance teams should do now

For legal, privacy, cybersecurity and eDiscovery professionals, the practical work starts with inventory. Teams should map every processing chain that touches the framework or U.S.-based oversight assumptions, including document review platforms, cloud hosting and repositories, managed review operations, security telemetry and incident-response data routed to U.S.-based monitoring platforms, and analytics tools that move EU personal data to U.S. infrastructure.

Transfer impact assessments drafted before June 29 that cite FTC, PCLOB or DPRC independence are arguably stale and should be re-run against the changed facts: the Slaughter holding, the PCLOB quorum gap and the executive-order dependence of the DPRC. Each reassessment should evaluate whether supplementary measures such as encryption with EU-held keys still close the gap, and should record its conclusions in writing.

Fallback planning matters as much as assessment. Article 49 of the GDPR permits derogations for transfers necessary to establish, exercise or defend legal claims, a provision with direct relevance for cross-border discovery, though regulators read it narrowly and it cannot support structural, ongoing offshoring of data. In-EU processing options, from EU data-center review environments to EU-only processing entities offered by some providers, deserve a fresh look. Counsel should also document each decision now; if adequacy later falls, contemporaneous records of good-faith reassessment will matter to regulators.

Timing offers some breathing room. A CJEU annulment action typically takes two to three years, and the Commission has signaled deliberation rather than haste. But Schrems II arrived with immediate effect and no grace period, a history worth remembering.

Twice in 11 years, Europe’s top court has struck down a transatlantic transfer deal, and a third test is now taking shape. Should organizations keep rebuilding on adequacy decisions, or is it finally time to architect for a world where EU data stays in the EU?



News sources



Assisted by GAI and LLM Technologies

Additional reading

Source: ComplexDiscovery OÜ

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.

 

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know, and we will make our response to you a priority.

ComplexDiscovery OÜ is an independent digital publication and research organization based in Tallinn, Estonia. ComplexDiscovery covers cybersecurity, data privacy, regulatory compliance, and eDiscovery, with reporting that connects legal and business technology developments—including high-growth startup trends—to international business, policy, and global security dynamics. Focusing on technology and risk issues shaped by cross-border regulation and geopolitical complexity, ComplexDiscovery delivers editorial coverage, original analysis, and curated briefings for a global audience of legal, compliance, security, and technology professionals. Learn more at ComplexDiscovery.com.

 

Generative Artificial Intelligence and Large Language Model Use

ComplexDiscovery OÜ recognizes the value of GAI and LLM tools in streamlining content creation processes and enhancing the overall quality of its research, writing, and editing efforts. To this end, ComplexDiscovery OÜ regularly employs GAI tools, including ChatGPT, Claude, Gemini, Grammarly, Midjourney, and Perplexity, to assist, augment, and accelerate the development and publication of both new and revised content in posts and pages published (initiated in late 2022).