Ein Urteil zur US-Behördenstruktur reißt das EU-US-Datenabkommen mit sich

Ein Urteil zur US-Behördenstruktur reißt das EU-US-Datenabkommen mit sich


At first glance, a dispute over the dismissal of an FTC commissioner seems to have little to do with data protection. But upon closer inspection, the U.S. Supreme Court has thereby removed the pillar on which the entire legal basis for data transfers from the EU to the U.S. rests.

07/07/2026

A ruling on the structure of U.S. government agencies brings down the EU-U.S. data agreement

At first glance, a dispute over the dismissal of an FTC commissioner seems to have little to do with data protection. But upon closer inspection, the U.S. Supreme Court has thereby removed the pillar on which the entire legal basis for data transfers from the EU to the U.S. rests.

Sometimes a single ruling is enough to throw a transatlantic data protection agreement into turmoil. On June 29, 2026, the U.S. Supreme Court ruled in Trump v. Slaughter that the Federal Trade Commission (FTC) may no longer act independently of the president. The majority of the justices thus upheld the so-called “Unitary Executive Theory.” The U.S. president is to retain control over all executive agencies, including independent commissions. The court declared the statutory guarantees of independence for U.S. agencies to be unconstitutional across the board. This applies beyond the specific FTC case.

What appears to be a domestic power struggle in Washington has immediately set off alarm bells in Brussels. This is because the FTC has been the central figure in every EU-U.S. data agreement since 2000.

Why the FTC, of all places, is the bottleneck

Article 16(2) of the TFEU and Article 8(3) of the Charter of Fundamental Rights explicitly require independent oversight of data protection. If the European Commission wishes to certify that a third country has an “adequate” level of data protection, there must also be an independent authority in place to monitor compliance. The U.S. has consistently pointed to the FTC in this regard. According to the data protection organization noyb, the European Commission cited this very independence 259 times in its latest adequacy decision on the EU-U.S. Data Privacy Framework.

This figure shows just how central this concept was—and how weak the foundation on which it stood. The agreement was already considered fragile beforehand. It is now the third iteration following “Safe Harbor” and “Privacy Shield,” both of which were declared invalid by the European Court of Justice. On the U.S. side, it is based solely on an executive order, which any new administration can amend or revoke. Even the supplementary oversight body, the “Data Protection Review Court,” is not a genuine judicial authority but rather a division within the U.S. Department of Justice. Its independence, too, exists only by decree.

Formally, the resolution remains in effect; in practice, however, there is no basis for it

The European Commission’s adequacy decision is not automatic. It remains in effect until the Commission revokes it or the European Court of Justice declares it invalid, as was the case with Safe Harbor and Privacy Shield. Legally, companies can continue to rely on the Data Privacy Framework.

Those who use Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) are not automatically on the safe side. These instruments require a separate Transfer Impact Assessment (TIA). This assessment is generally based on the same U.S. supervisory structure that has now collapsed. Anyone who updates it to the best of their knowledge can hardly reach any other conclusion than that the basis for it no longer exists. The Commission’s decision, which remains in effect, is not sufficient as a safeguard.

The reaction from Vienna

Max Schrems and his organization, noyb, have already successfully challenged Safe Harbor and Privacy Shield in court. In an official letter, they have called on the European Commission to revoke the adequacy decision itself through an orderly process, rather than waiting for another court case. His argument: Without independent authorities in the U.S., there is no basis for any agreement that relies precisely on that. A unanimous decision by all member states to amend the EU Treaties could theoretically resolve this issue. Politically, however, that is not on the horizon. At the same time, noyb has announced a new lawsuit before the European Court of Justice. As with previous cases, it is likely to take two to three years before a decision is reached. So far, the European Commission has merely stated that it is reviewing the ruling and its implications.

What Companies Should Do Now

The Commission’s existing decision is no longer sufficient as a safeguard. Four points now need to be addressed:

  • Review transfer impact assessments. Organizations that conduct TIAs based on SCCs or BCRs should update their assessment of the U.S. legal landscape now. The previous argument regarding independent oversight is no longer valid.
  • Identify dependencies. Some companies currently do not know exactly where in their cloud and SaaS landscape personal data flows to the U.S. Without this overview, it is impossible to either create or update a TIA or evaluate an exit option.
  • Evaluate exit options. An abrupt exit from U.S. services is feasible in the short term for very few organizations. It makes more sense to examine now where European alternatives or separate EU instances of existing providers are viable and where they are not.
  • Monitor developments. Years may pass between a possible revocation by the Commission and a ruling by the European Court of Justice. This transitional phase will determine which organizations are prepared.

The EU-U.S. Data Privacy Framework has not formally been terminated. It is based on a supervisory structure that the Supreme Court has just ruled is not independent. While the FTC retains its statutory powers, its independence is in question. Whether through Latombe’s appeal to the European Court of Justice, another lawsuit by noyb, or a decision by the Commission itself: based on past precedent, it could still be years before a decision is reached in Brussels or Luxembourg. Those who use this time to identify their own data transfers to the U.S., assess the consequences of an annulment of the adequacy decision, and consider their options for action will not be caught off guard on the day the decision is handed down.

If you have any questions about the implications of the ruling, please feel free to email me at henri.vershoven@complion.de. I look forward to our discussion.