Regulation
The wall under EU–US data transfers just moved
A US ruling on who controls the FTC has quietly unsettled the legal basis for moving European data across the Atlantic.
New to the topic? Start with What sovereign compliance actually means.
A single sentence in a US Supreme Court opinion, handed down on 29 June, may end up mattering more to European compliance officers than any regulation Brussels passed this year. The Court ruled that the President can dismiss commissioners of the Federal Trade Commission at will, and in doing so overturned a precedent that had defined the American “independent agency” since 1935. The ruling reads as a domestic argument about presidential power. Its consequences run straight through the mechanism that keeps European data flowing legally to the United States.
Why an American ruling reaches European desks
Since 2023, most transfers of personal data from the EU to the US have relied on the EU–US Data Privacy Framework, an adequacy decision in which the European Commission judged that the United States offers protection essentially equivalent to Europe’s own. That judgment rests on a specific promise: that an independent authority supervises how American companies handle European data. For the commercial side of that promise, the authority named again and again is the FTC.
European law does not treat independence as a nicety. Article 8 of the Charter of Fundamental Rights requires that data protection be overseen by an independent authority, and the absence of genuinely independent oversight and redress ran through the Court of Justice’s reasoning when it struck down the two previous transatlantic frameworks, Safe Harbour in 2015 and Privacy Shield in 2020. The supervisor at the centre of today’s framework has just been declared answerable to the President.
Not a collapse, but a fault line
The framework has not fallen. The adequacy decision remains in force, certified companies may still rely on it, and the Commission has said only that it will assess the implications. Suspending transatlantic data flows would disrupt much of the digital economy, so the institutional incentive is to move slowly.
The pressure, however, is now structural rather than rhetorical. Max Schrems’ organisation has written to the Commission urging withdrawal, and a separate challenge is already climbing towards the Court of Justice. Should that court apply the standard it set in the Schrems cases, this would become the third transatlantic framework to be struck down in a decade, and the first whose flaw sits in plain sight in a published opinion rather than buried in classified surveillance law.
What a compliance leader should take from this
The honest reading is not “panic,” but “stop treating the framework as bedrock.” Even if it were struck down, transfers would not simply stop; standard contractual clauses would step back in, as they did twice before, carrying a heavier burden of case-by-case transfer assessments. The deeper lesson is about dependency. When a European institution’s data, and increasingly the systems that interpret its obligations, rest on a US adequacy decision that a single foreign court can unsettle, that is not a line item in a risk register. It is the shape of the risk itself.
The most persuasive argument for a European stack this year was not made by a vendor or a regulator. It was made by the Supreme Court of the United States.
This article is commentary on a developing legal situation, not legal advice; organisations should take their own advice on their transfer arrangements.