On Monday, July 3, 2026, the United States Supreme Court issued its ruling in the widely discussed case of Trump v. Slaughter. This ruling potentially has major consequences for the international transfer of personal data from the EU to the United States.
At the heart of this case is the dismissal of Slaughter, one of the commissioners of the Federal Trade Commission (hereinafter: “FTC”), by President Trump, on the grounds that her views did not align with those of his administration. Slaughter challenged her dismissal in court and initially prevailed, but the Supreme Court has now ruled that the dismissal was nonetheless lawful. The Supreme Court held that the U.S. Constitution precludes any form of dismissal protection for American regulators — including the FTC as the relevant supervisory authority in the field of privacy. The statutory dismissal protection (“for cause”) has thereby been abolished, enabling the U.S. President to dismiss government commissioners without justified cause.
Background: international transfers to the US
The international transfer of personal data to the US has a turbulent history. The previous adequacy decisions — Safe Harbour and the Privacy Shield — were invalidated by the Court of Justice of the European Union (CJEU). This occurred following legal proceedings brought by Max Schrems. In both cases, the CJEU ruled that the level of protection of personal data in the US was not “essentially equivalent” to the level guaranteed within the EU — a requirement for international transfers based on an adequacy decision. Following these rulings, the European Commission adopted a new adequacy decision in 2023: the Data Privacy Framework. The US had introduced additional safeguards to address the objections raised against the earlier decisions. The independence of the FTC as a supervisory authority was one of the central pillars of this framework.
The consequences
Under Article 8(3) of the Charter of Fundamental Rights of the European Union, independent supervision of compliance with personal data protection is required. In the Netherlands, this task is carried out by the Dutch Data Protection Authority (Autoriteit Persoonsgegevens), while in the US, the FTC fulfills this role. However, following the ruling in Trump v. Slaughter, the independence of the FTC is no longer guaranteed. This raises the question of whether the level of protection in the US can still be considered equivalent to that of the EU.
If Schrems is to be believed, this is no longer the case. He argues that the Supreme Court’s decision has caused the entire foundation upon which the adequacy decision rests to collapse. Schrems has formally written to the European Commission requesting that the adequacy decision be annulled. Should the Commission choose to maintain the DPF for the time being, a Schrems III lawsuit appears inevitable.
The Latombe case
The General Court of the European Union had previously weighed in on the sustainability of the Data Privacy Framework in the Latombe case. French parliamentarian Latombe argued that the DPF should be declared invalid because the level of protection in the US is not equivalent to that of the EU. Among other things, Latombe contended that the judges of the Data Protection Review Court (DPRC) lacked sufficient independence. The General Court rejected this position and upheld the DPF, noting that sufficient safeguards existed — for example, that DPRC judges may only be dismissed for cause.
This argument appears difficult to sustain following Trump v. Slaughter. The Supreme Court has, after all, ruled that such dismissal protection is unconstitutional. This calls into question whether the General Court’s reasoning in Latombe can still be maintained. It is therefore to be expected that the DPF will either be withdrawn by the Commission itself, or successfully challenged on appeal in the Latombe case or in new proceedings brought by Schrems.
Alternatives if the Data Privacy Framework falls away
Should the DPF ultimately be invalidated, the GDPR does in principle offer alternative mechanisms for transferring personal data to the US. In addition to adequacy decisions, the GDPR provides other mechanisms for international transfers, including Standard Contractual Clauses (SCCs). These are contractual clauses drawn up by the European Commission that contain safeguards intended to ensure an equivalent level of protection. However, it remains to be seen whether these will offer a viable solution.
The use of SCCs requires, pursuant to the Schrems II ruling, the performance of a so-called Transfer Impact Assessment (TIA). As part of this TIA, it must be assessed whether the recipient country offers an equivalent level of protection. This assessment must be made on the basis of the practical and legal risks associated with a transfer to a third country without an adequacy decision. Given that the US, in light of the ruling, no longer has an independent supervisory authority, it is questionable whether a TIA can yield a positive outcome — i.e., one that permits the transfer to proceed. It is now up to the European Commission to assess whether the Data Privacy Framework can still be maintained.
Would you like to know how your organization should handle the transfer of personal data to the US? Please contact one of our attorneys.