A ruling issued by the US Supreme Court on Monday, June 29, 2026, has stripped the Federal Trade Commission of the independence that underpins the entire legal architecture of the EU-US Data Privacy Framework, according to Austrian privacy group noyb. The decision, Trump v. Slaughter, found that the FTC's long-standing structural independence from presidential control is unconstitutional. Because the European Commission's 2023 adequacy decision leans on that same independence more than 250 times as proof that US oversight meets EU standards, noyb argues the foundation for transatlantic data flows no longer exists. In a media update sent on Monday, June 30, 2026, and in a formal letter to the European Commission dated the same day, noyb chair Max Schrems called on Brussels to begin an "orderly withdrawal" from the adequacy decision that currently permits US companies to receive personal data from the European Union without additional safeguards.

The timing lands awkwardly for the Commission. Just three months earlier, the General Court dismissed a separate challenge to the same framework, brought by French politician Philippe Latombe, and upheld the adequacy decision in full. That ruling rested partly on the assumption that US oversight bodies, including the FTC, would remain independent. The Supreme Court has now removed that assumption from underneath the judgment, though it did not, and could not, touch the General Court's reasoning directly.

Your Feed Has a Viewability Problem

If nobody's reading it, did it ever really load? Add PPC Land as your preferred source in Google Search and actually see the stories that matter.

Fix My Sources

What the Supreme Court decided

Trump v. Slaughter arose from President Trump's attempt to remove FTC Commissioner Rebecca Slaughter before her term expired, a power that Congress denied to presidents for the FTC when it created the agency in 1914. For nine decades, the FTC's independence rested on Humphrey's Executor v. United States, a 1935 precedent holding that Congress may insulate certain multi-member regulatory bodies from at-will presidential removal. According to noyb's letter to the Commission, the conservative majority "re-written more than 90 years of US constitutional doctrine" by relying on the so-called unitary executive theory, under which the president must retain removal power over every officer who exercises executive authority. Schrems put it more sharply in the group's media statement: "Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US."

The certiorari grant itself was not a surprise to close observers of US administrative law. As PPC Land reported in March 2026, a Fifth Circuit concurrence in an unrelated FTC enforcement case, involving Intuit's TurboTax advertising, had already flagged that the Supreme Court was weighing whether FTC commissioners could be shielded from removal, citing the same Trump v. Slaughter docket entry. That earlier ruling addressed a separate constitutional question, the FTC's adjudicative authority, but the concurring judge noted that the pending removal case threatened to reshape "the FTC's constitutional structure" across all three of the powers it exercises. The removal question has now been resolved, and not in the agency's favor.

Why 259 references matter

Commission Implementing Decision (EU) 2023/1795, adopted on 10 July 2023, is the legal instrument that allows US companies to receive personal data from the European Union without triggering additional GDPR safeguards. Companies self-certify to the US Department of Commerce, agreeing to comply with a set of privacy principles, and become enforceable against under Section 5 of the FTC Act, which prohibits unfair or deceptive commercial practices. That enforcement backstop is not incidental to the framework. It is, according to noyb's letter to Commissioner McGrath and Irena Moozova, referenced more than 250 times throughout the decision as the mechanism that satisfies the EU's constitutional requirement for independent data protection oversight.

Article 16(2) of the Treaty on the Functioning of the European Union and Article 8(3) of the Charter of Fundamental Rights both require that compliance with EU data protection rules be monitored by an independent authority. When the Commission assessed the United States in 2023, it needed a US body that could stand in for that requirement, since the US has no dedicated national privacy regulator equivalent to Europe's data protection authorities. The FTC filled that role. As the noyb letter states plainly, "the Commission has so far relied on the FTC as the equivalent to an independent EU supervisory authority." Other bodies mentioned in the decision, including the Department of Transportation, cover narrower sectors such as airline data and do not offer the FTC's horizontal reach across commercial activity. Since the Supreme Court ruling applies to independent executive bodies generally, not to the FTC alone, noyb's letter argues those narrower bodies face the identical constitutional defect.

The reasoning extends beyond commercial oversight into the national-security side of the framework as well. The 2023 decision also depends on Executive Order 14086, through which former President Biden created a Data Protection Review Court to give EU citizens a redress avenue against US intelligence surveillance. noyb's letter is explicit that this body was never a true, independent court in the first place, since it operates inside the Department of Justice and derives its authority from a presidential order that any president can revoke. "If the US constitution does not allow the US legislator to create an independent executive body, then, logically, it cannot be created by the internal order of a President," the letter states. The same logic, noyb argues, applies to the Privacy and Civil Liberties Oversight Board, whose independence was likewise created by an act of Congress that the Supreme Court's ruling would treat as unconstitutional.

None of this changes what companies must do on Tuesday morning. Commission Implementing Decision (EU) 2023/1795 remains formally in force. It stays that way until either the Commission repeals it through its own procedure or the Court of Justice of the European Union annuls it in a legal challenge. noyb's own letter acknowledges this directly: "we acknowledge that formally Commission Implementing Decision EU 2023/1795 stays in force until it is repealed or annulled." Nor does GDPR's data transfer regime block every kind of international information flow. The regulation targets personal data specifically; non-personal data can move across borders without restriction. Article 49 of the GDPRalso permits necessary transfers to any third country, covering everyday transactions such as hotel bookings, though it was never designed to authorize wholesale, structural offshoring of EU data to US cloud infrastructure when that offshoring is not strictly necessary.

Companies that rely on Standard Contractual Clauses or Binding Corporate Rules rather than the adequacy decision directly are not automatically shielded either. According to noyb, those transfer mechanisms typically depend on a company's own "impact assessment," a document that in turn leans on the same now-unconstitutional US bodies, including the Privacy and Civil Liberties Oversight Board and the Data Protection Review Court, to conclude that US surveillance law offers adequate protection. Because that underlying assumption has collapsed, noyb argues companies relying on SCCs or BCRs face the same logical problem as those relying on the adequacy decision itself, and, in the group's assessment, should reach the same conclusion: that current transfers are not legally defensible.

The road to a possible annulment

noyb's letter lays out two parallel paths forward, and states a preference for the first. The organization is urging the Commission to begin "an imminent plan for the orderly repeal" of the decision, including reasonable transition periods for businesses, precisely to avoid what the letter calls a "compliance cliff." That phrase references the aftermath of the two prior framework invalidations. When the Court of Justice struck down Safe Harbor in the 2015 Schrems I ruling, and again when it struck down Privacy Shield in the 2020 Schrems II ruling, companies were left scrambling for alternative legal bases on short notice. noyb suggests the Commission fold this matter into its recently announced Tech Sovereignty Package rather than wait for a court to force the issue.

Should the Commission decline to act, noyb has stated it will file its own lawsuit "in the coming weeks" aimed at securing an annulment from the Court of Justice. The organization is candid that this route is slow. Litigation of this kind, the letter notes, "typically takes 2-3 years until a final decision is reached." That places a potential Court of Justice ruling somewhere in the 2028 to 2029 window, assuming the case proceeds on a standard timeline.

The letter also flags a structural obstacle that no single lawsuit or Commission decision can resolve quickly. EU treaty law requires independent oversight of data protection; the US Supreme Court has now interpreted the US Constitution to prohibit exactly that kind of independent executive body. noyb frames this as "a constitutional clash of laws" rather than a dispute tied to any single administration, since fixing it would require either the US Constitution being reinterpreted or amended, or all EU member states unanimously agreeing to change the EU treaties. The letter calls both outcomes "rather unlikely to happen in the next years or even in the next decades."

Why this matters for marketing and advertising

For an industry that moves enormous volumes of personal data across the Atlantic every day, largely for ad targeting, measurement, and cloud-based analytics, the legal uncertainty compounds rather than resolves prior concerns. PPC Land has tracked mounting pressure on the framework from several directions over recent months. In January 2025, reports emerged that Democratic members of the Privacy and Civil Liberties Oversight Board had been asked to resign, a move that already threatened the board's ability to function and, by extension, the credibility of the redress mechanism EU citizens depend on. That same reporting quoted Schrems describing the framework's foundation as resting on "executive promises that can be overturned in seconds" rather than durable legislation. Monday's Supreme Court decision is, in a sense, the mechanism Schrems warned about materializing.

Google adopted the framework for its advertising services, including AdSense, in September 2023, later extending coverage to Swiss and UK data through parallel frameworks in 2024. Companies of similar scale have built compliance architecture on the assumption that FTC enforcement backstops the entire arrangement. If that backstop is now constitutionally suspect, advertisers and publishers relying on US-based ad tech vendors, DSPs, and cloud infrastructure providers face a genuine question about the durability of their current data flows, even though no immediate action is legally required.

The uncertainty also arrives as European infrastructure providers position themselves as an alternative. AWS launched its European Sovereign Cloud in January 2026, explicitly citing concerns about American providers' capacity to shield European data from US government access; Microsoft executives had separately admitted under oath during French Senate testimony that they could not guarantee such protection. A coalition of ten European media, telecom, and ad tech companies went further still, launching the European Media Marketplace on 7 July 2026 with an explicit pitch around data sovereignty and local processing. Whether these efforts represent a genuine hedge against transatlantic data-flow risk, or a parallel commercial strategy that happens to align with the current legal moment, will likely become clearer only as the Commission signals its response to noyb's letter.

Ireland's Data Protection Commission, the lead regulator for most major US technology companies in the EU, has faced its own scrutiny over enforcement consistency. Meta's €1.2 billion fine over illegal transfers of European user data to the United States, still the largest individual GDPR penalty on record, remains under active appeal, one of several major penalties from Ireland's DPC currently contested in court. Any renewed legal challenge to the adequacy decision would land in an enforcement environment where cross-border data transfer disputes are already a recurring and unresolved feature of EU-US digital commerce, rather than a settled question companies can treat as closed.

What happens next

The European Commission has not yet issued a public response to noyb's letter. Under the terms of the 2023 decision itself, the Commission is required to monitor US legal developments on an ongoing basis and can initiate a suspension, amendment, or repeal procedure if it concludes the adequacy finding is no longer justified. Whether Monday's ruling meets that threshold in the Commission's own assessment, separate from noyb's assessment, remains an open question. A formal repeal procedure, an amendment limiting the decision's scope, or continued reliance on the framework pending a Court of Justice ruling are all live possibilities, and the Commission has given no public indication which path it intends to take.

Timeline

  • 7 October 2022 - Then-President Biden signs Executive Order 14086, creating the Data Protection Review Court and updated signals-intelligence safeguards that underpin the EU-US framework.
  • 10 July 2023 - The European Commission adopts Commission Implementing Decision (EU) 2023/1795, establishing the EU-US Data Privacy Framework and citing the FTC's independence more than 250 times.
  • 1 September 2023 - Google begins relying on the framework for certain EU-to-US data transfers in its advertising services.
  • 20 January 2025 - President Trump signs an executive order mandating a 45-day review of Biden-era national security decisions, including those underpinning the framework.
  • 23 January 2025 - Reports emerge that Democratic members of the Privacy and Civil Liberties Oversight Board were asked to resign.
  • 6 September 2023 (filed) / 3 September 2025 (ruling) - The General Court dismisses French politician Philippe Latombe's challenge to the framework in Latombe v Commission, upholding the adequacy decision.
  • 20 March 2026 - The Fifth Circuit Court of Appeals, in a separate FTC enforcement case, notes in a concurrence that the Supreme Court is weighing whether FTC commissioners can be shielded from presidential removal in Trump v. Slaughter.
  • 29 June 2026 (Monday) - The US Supreme Court rules in Trump v. Slaughter that the FTC's structural independence from presidential removal is unconstitutional.
  • 30 June 2026 - noyb issues a media statement and sends a formal letter to the European Commission calling for an orderly withdrawal from the adequacy decision, while stating it will file its own annulment lawsuit within weeks if the Commission does not act.

Summary

Who: Max Schrems and the Austrian non-profit noyb - European Centre for Digital Rights, addressing the European Commission, specifically Commissioner McGrath and Deputy Director-General Irena Moozova.

What: The US Supreme Court's ruling in Trump v. Slaughter found that the Federal Trade Commission's structural independence from presidential removal is unconstitutional. Because the European Commission's 2023 EU-US Data Privacy Framework adequacy decision cites that independence more than 250 times as the basis for meeting EU oversight requirements, noyb argues the legal foundation for transatlantic commercial data transfers has collapsed, and is calling for an orderly Commission-led withdrawal from the decision.

When: The Supreme Court issued its ruling on Monday, June 29, 2026. noyb sent its media statement and formal letter to the Commission the following day, June 30, 2026.

Where: The dispute spans both the United States, where the constitutional ruling originated, and the European Union, where the Commission's adequacy decision governs data transfers from all 27 member states plus the three EEA countries.

Why: The ruling strips away a central pillar of the legal reasoning behind the EU-US Data Privacy Framework without immediately invalidating the framework itself, creating a period of legal uncertainty for the thousands of US companies, including major advertising and cloud infrastructure providers, that rely on the decision to receive personal data from the EU without additional authorization. noyb has signaled it will pursue its own Court of Justice challenge within weeks if the Commission does not act first, with any such litigation expected to take two to three years to resolve.