Editor’s Note: A removal-power ruling issued in Washington on June 29 reached Brussels within a day. The Supreme Court’s decision in Trump v. Slaughter overruled Humphrey’s Executor and eliminated the for-cause removal protections that anchored the FTC’s status as an independent regulator, and noyb answered with a same-day public demand, then a formal letter dated June 30, calling on the European Commission to withdraw the EU-U.S. Data Privacy Framework adequacy decision and promising litigation practitioners are already describing as a potential Schrems III.
For cybersecurity, data privacy, regulatory compliance and eDiscovery professionals, this may be the most consequential cross-border transfer development since Schrems II. Every transfer impact assessment that cites FTC, PCLOB or DPRC independence carries a June 29 asterisk, and the exposure runs past the framework itself into SCCs and BCRs that anchor review platforms, cloud hosting and managed services.
Watch four fronts in the months ahead: the Commission’s formal assessment, the EDPB’s review of the framework’s oversight mechanisms, the pending Latombe appeal at the CJEU, and the noyb annulment filing promised within weeks. Teams that inventory transfer dependencies and document reassessments now will be better positioned if Brussels or the CJEU later changes the framework’s legal status.
Content Assessment: Supreme Court FTC ruling puts new pressure on EU-U.S. data transfers
Information - 94%
Insight - 93%
Relevance - 93%
Objectivity - 94%
Authority - 92%
93%
Excellent
A short percentage-based assessment of the qualitative benefit expressed as a percentage of positive reception of the recent article from ComplexDiscovery OÜ titled, "Supreme Court FTC ruling puts new pressure on EU-U.S. data transfers."
Industry News – Data Privacy and Protection Beat
Supreme Court FTC ruling puts new pressure on EU-U.S. data transfers
ComplexDiscovery Staff
The U.S. Supreme Court sharply curtailed statutory protections for independent agencies June 29, and privacy advocates quickly argued that the ruling weakens a legal pillar of transatlantic data flows. The group that helped topple two earlier EU-US transfer arrangements is now asking Brussels to withdraw the third.
The 6-3 decision in Trump v. Slaughter held that statutory protections shielding Federal Trade Commission (FTC) members from removal without cause violate the Constitution’s separation of powers, overruling the 1935 precedent Humphrey’s Executor v. United States. The Vienna-based privacy group noyb announced its response the same day and followed with a formal letter, dated June 30, asking the European Commission to withdraw its adequacy decision for the EU-U.S. Data Privacy Framework (DPF). It also announced plans to file an annulment action at the Court of Justice of the European Union (CJEU) within weeks. Privacy practitioners are already describing the promised litigation as a potential “Schrems III.”
Inside the ruling that curtailed agency independence
Chief Justice John Roberts, writing for the majority, framed the question as one of presidential control over the executive branch. “We hold that such protection from removal is contrary to the separation of powers enshrined in the Constitution,” Roberts wrote. The case arose after President Donald Trump fired FTC Commissioners Rebecca Slaughter and Alvaro Bedoya in March 2025 without citing the statutory grounds of “inefficiency, neglect of duty, or malfeasance in office” required under the FTC Act.
Justice Sonia Sotomayor dissented, joined by Justices Elena Kagan and Ketanji Brown Jackson. The majority carved out one notable exception, reiterating that the Federal Reserve may stand on different constitutional footing because of its distinct historical tradition.
Erwin Chemerinsky, dean of the University of California, Berkeley School of Law, said “agency independence is now gone” as a result of the ruling, according to Reuters. He said he expects agencies, like cabinet departments, to do what the president wants.
Why an American removal case reaches into Brussels
The constitutional ruling says nothing about privacy, the General Data Protection Regulation (GDPR) or cross-border data transfers. Its collision with European law is structural. The European Commission’s 2023 adequacy decision for the DPF rests in part on the FTC’s role as an independent enforcement authority for U.S. companies that certify under the framework. According to noyb’s count, the adequacy decision references the FTC 259 times.
EU treaty law raises the stakes. Article 16(2) of the Treaty on the Functioning of the European Union and Article 8(3) of the Charter of Fundamental Rights require that compliance with data protection rules be subject to control by an independent authority, and the CJEU has required “essentially equivalent” protection from countries receiving EU personal data.
“Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US,” said Max Schrems, the Austrian lawyer and noyb founder whose earlier challenges brought down the Safe Harbor arrangement in 2015 and the Privacy Shield in 2020. “The Commission built a legal house of cards under industry pressure. Now that it clearly collapses, it has to take responsibility,” he said.
Brussels weighs its response as the framework holds, for now
As of July 7, the DPF remains formally in force, and U.S. organizations certified under it remain eligible to receive covered transfers of EU personal data. Only the Commission can repeal its own adequacy decision, and only the CJEU can annul it. A European Commission spokesperson said the Commission will assess whether the ruling could affect the framework’s validity, will remain in close contact with the U.S. administration, and said the GDPR provides tools to respond if the adequacy decision no longer ensures sufficient protection, according to Bloomberg Law.
The framework has survived one court test already. The EU General Court dismissed a challenge brought by French lawmaker Philippe Latombe on Sept. 3, 2025, finding the U.S. redress system sufficiently independent at that time. Latombe appealed to the CJEU on Oct. 31, 2025, and that appeal was pending when Trump v. Slaughter came down, giving Europe’s top court a live vehicle to weigh the changed American facts even before noyb files.
The European Data Protection Board, which groups Europe’s national privacy regulators, said it is reviewing the decision’s potential implications for the oversight mechanisms behind the framework, describing their independence as central to its legitimacy, according to The Record. The board cannot repeal the adequacy decision, but its views carry weight with the Commission and national authorities.
For its part, noyb described litigation as a last resort in its June 30 letter, urging an orderly repeal with reasonable transition periods to avoid what it called a “compliance cliff” of the kind that followed the Schrems I and Schrems II rulings. Market adaptation is already underway: several EU member states have moved toward digital sovereignty strategies that reduce reliance on U.S. providers, and some U.S. service providers now offer separate EU data processing arrangements, according to noyb.
SCCs and BCRs offer no automatic shelter
Companies tempted to treat this as a framework-only problem should look closer. Standard contractual clauses (SCCs) and binding corporate rules (BCRs), the fallback mechanisms most multinationals adopted after Schrems II, require transfer impact assessments that evaluate the law and practice of the destination country. Those assessments commonly cite the FTC, the Privacy and Civil Liberties Oversight Board (PCLOB) and the Data Protection Review Court (DPRC) as oversight safeguards.
Each pillar now faces a new independence question. Trump removed PCLOB members in January 2025, leaving the board without a quorum, according to noyb. The DPRC, despite its name, is an executive body within the Department of Justice created under Executive Order 14086, an instrument the president can amend or revoke. And the FTC’s statutory removal protection, one of the load-bearing independence assumptions, is now constitutionally foreclosed for commissioners exercising executive power. In noyb’s assessment, companies relying on SCCs and BCRs must update their transfer impact assessments immediately, and an honest update points toward transfers no longer being lawful.
What eDiscovery and governance teams should do now
For legal, privacy, cybersecurity and eDiscovery professionals, the practical work starts with inventory. Teams should map every processing chain that touches the framework or U.S.-based oversight assumptions, including document review platforms, cloud hosting and repositories, managed review operations, security telemetry and incident-response data routed to U.S.-based monitoring platforms, and analytics tools that move EU personal data to U.S. infrastructure.
Transfer impact assessments drafted before June 29 that cite FTC, PCLOB or DPRC independence are arguably stale and should be re-run against the changed facts: the Slaughter holding, the PCLOB quorum gap and the executive-order dependence of the DPRC. Each reassessment should evaluate whether supplementary measures such as encryption with EU-held keys still close the gap, and should record its conclusions in writing.
Fallback planning matters as much as assessment. Article 49 of the GDPR permits derogations for transfers necessary to establish, exercise or defend legal claims, a provision with direct relevance for cross-border discovery, though regulators read it narrowly and it cannot support structural, ongoing offshoring of data. In-EU processing options, from EU data-center review environments to EU-only processing entities offered by some providers, deserve a fresh look. Counsel should also document each decision now; if adequacy later falls, contemporaneous records of good-faith reassessment will matter to regulators.
Timing offers some breathing room. A CJEU annulment action typically takes two to three years, and the Commission has signaled deliberation rather than haste. But Schrems II arrived with immediate effect and no grace period, a history worth remembering.
Twice in 11 years, Europe’s top court has struck down a transatlantic transfer deal, and a third test is now taking shape. Should organizations keep rebuilding on adequacy decisions, or is it finally time to architect for a world where EU data stays in the EU?

News sources
- Trump v. Slaughter, No. 25-332, Slip Opinion (Supreme Court of the United States)
- US Supreme Court just blew up EU-US Data Transfers (noyb)
- U.S. Supreme Court FTC Ruling Prompts Fresh Scrutiny of EU-U.S. Data Privacy Framework (Hunton Privacy and Cybersecurity Law Blog)
- Trump v. Slaughter (Independent Agencies) (SCOTUSblog)
- Supreme Court Strengthens Trump’s Hold on Key Levers of Government Power (Reuters via U.S. News & World Report)
- European Court of Justice to Review Challenge to EU-U.S. Data Privacy Framework (WilmerHale Privacy and Cybersecurity Law Blog)
- Data Protection: The General Court Dismisses an Action Against the EU-US Data Privacy Framework (Court of Justice of the European Union)
- EU-US Data Transfers Under Threat? The US Supreme Court’s Decision in Trump v Slaughter (Matheson)
- Supreme Court Decision Threatens EU-US Data Transfer Agreement (The Record from Recorded Future News)
- noyb Letter to the European Commission on EU-US Data Transfers (noyb)
Assisted by GAI and LLM Technologies
Additional reading
- Council clears the AI Act rewrite as the enforcement clock keeps ticking
- Parliament hits pause on high-risk AI rules and bans nudifier apps
- Europe’s AI labeling rules arrive with a voluntary code and a hard deadline
Source: ComplexDiscovery OÜ

ComplexDiscovery’s mission is to enable clarity for complex decisions by providing independent, data‑driven reporting, research, and commentary that make digital risk, legal technology, and regulatory change more legible for practitioners, policymakers, and business leaders.































