On June 29, 2026, the U.S. Supreme Court dealt a structural blow to the EU-U.S. Data Privacy Framework. Safe Harbor, Privacy Shield—and now the DPF. What the ruling means for businesses and why waiting to see what happens this time could prove costly.
In late June 2026, the U.S. Supreme Court ruled 6–3 that the Federal Trade Commission (FTC) may no longer be an independent agency. The case is Trump v. Slaughter (Case No. 25-332) and, at first glance, sounds like a domestic U.S. constitutional dispute over the separation of powers. But it’s about much more than that: It directly impacts the EU-US Data Privacy Framework (DPF)—and thus the legal basis on which a significant portion of data transfers from European companies to Google, Microsoft, and AWS relies.
Anyone familiar with the history will recognize the pattern immediately. The uneasy feeling: This isn’t the first time.
In 2000, the European Commission established Safe Harbor, an adequacy decision that permitted data exports to the U.S. under certain conditions. The European Court of Justice (ECJ) declared it invalid in 2015—Schrems I (C-362/14). Reasoning: U.S. surveillance laws and a lack of legal protection. The Privacy Shield followed in 2016 as its successor. In 2020, the CJEU struck down this one as well—Schrems II (C-311/18). Same reasoning, new label.
In 2023, the European Commission presented a third agreement: the EU-US Data Privacy Framework (Implementing Decision EU 2023/1795). Max Schrems of the data protection organization noyb (None of Your Business) commented at the time that it was “largely a copy of the agreements previously declared invalid.” Hisassessment is now well documented at.
The June 29 ruling proves him right.
The European Commission’s adequacy decision for the DPF cites the FTC as an independent data protection authority 259 times. This figure is no exaggeration—it is stated in the decision itself. Primary EU law—specifically Article 16(2) of the Treaty on the Functioning of the European Union (TFEU) and Article 8(3) of the Charter of Fundamental Rights of the European Union (CFREU)—mandates that data protection supervision must be carried out by an independent authority. Third countries must ensure a “substantially equivalent” level of protection—which includes an independent authority.
The Supreme Court followed the so-called Unitary Executive Theory: The President must be able to exercise unrestricted control over all federal agencies. Thus, Trump’s dismissal of Democratic FTC Commissioner Rebecca Slaughter without stating reasons was lawful. And thus, the FTC is an agency subject to the White House’s directives—not an independent supervisory body as defined by EU law.
The edifice upon which the adequacy decision rests has just lost one of its supporting pillars.
Furthermore, the Data Protection Review Court (DPRC), which the Biden administration established as a legal protection mechanism for EU citizens, is not a court in the constitutional sense. It is an agency within the U.S. Department of Justice, established solely by an executive order—which the president can revoke at any time.
Many companies do not rely directly on the DPF for data transfers, but rather on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs). These instruments also require Transfer Impact Assessments (TIAs)—impact assessments that evaluate whether the level of protection in the third country is in fact sufficient. Until now, these assessments have relied, among other things, on the independence of the FTC, the Privacy and Civil Liberties Oversight Board (PCLOB), and the DPRC.
Following the Slaughter ruling, all three are no longer independent or are structurally weakened. Anyone who fails to update their TIAs is acting on the basis of outdated facts. And anyone who faces a noyb lawsuit with an outdated assessment has a GDPR problem—not “someday,” but right now.
Nothing happens overnight. The adequacy decision formally remains in effect until the European Commission revokes it or the European Court of Justice declares it invalid. Experience shows that such a process takes one to three years. The Commission will not voluntarily revoke the decision for the time being—the political and economic stakes in transatlantic data flows are simply too high. noyb formally wrote to the Commission on June 30, demanding an orderly withdrawal and announcing a lawsuit. t3n sums it up: “Schrems’ success rate suggests that we should urgently address this issue now.”
This is the realistic assessment: The DPF will likely not emerge from this proceeding unscathed. The structural problems—no independent supervisory body, no genuine equivalence in legal protection against U.S. surveillance, FISA Section 702 (50 U.S.C. § 1881a) unchanged—are the same as with its predecessors. Only the label was new.
Anyone who relies on the DPF today and has not documented a Plan B risks a breach of the duty of care under Article 46 of the General Data Protection Regulation (GDPR). After all, the Slaughter ruling is not an external surprise—it is a public, legally documented change to the factual basis on which the adequacy decision rests.
At this point, an important issue deserves to be honestly addressed, one that gets lost in many commentaries: Switching to an “EU service” does not automatically solve the problem. Many European software providers operate their infrastructure on Amazon Web Services (AWS), Microsoft Azure, or Google Cloud. They are thus themselves part of the supply chain whose legal foundation is currently being undermined.
The relevant question, therefore, is not merely where a service was developed or where the company is headquartered. It is: On whose infrastructure does the data run? Who has administrator access? To which legal jurisdiction is the operator actually subject? And: Who controls the keys?
In a published legal opinion, the Federal Ministry of the Interior documented that U.S. access is not precluded by the data’s location in Europe— the provider’s jurisdiction is the decisive factor. This applies equally to subcontractor chains. Anyone who wants to seriously reassess their GDPR risk profile must scrutinize the entire processing chain down to the operational infrastructure level.
An immediate operational disruption is not the most likely scenario. But the risk landscape has shifted—and this is documented, not speculative. Three steps make sense now:
- Take stock of the legal basis. On what basis do you transfer personal data to the U.S.—DPF certification, SCCs, or BCRs? The following applies to all three methods: The factual basis for Transfer Impact Assessments has changed. Assessments that relied on FTC independence or DPRC independence must be updated.
- Review the subcontractor chain. It’s not just the direct cloud provider that matters. SaaS tools, analytics, CRM, communication services, and backup systems are also part of the chain. For each category, ask: Whose infrastructure? Whose control over keys? Whose jurisdiction?
- Document Plan B. If the European Court of Justice declares the DPF invalid in one to three years, what consequences will that have for your operations? Answering this question now is significantly less costly than answering it in an emergency. Sovereign EU services free from dependence on U.S. infrastructure, customer-controlled key management, and tested exit scenarios must be on the agenda—not as a contingency plan, but as a strategic foundation.
The relationship between U.S . laws and the GDPR is structurally critical. The EU resolution on digital sovereignty from January 2026 addressed precisely this development as a structural risk.
SecureCloud GmbH operates its entire infrastructure exclusively on its own hardware at noris network AG in Nuremberg—without any involvement of U.S. providers in the subcontractor chain, without a U.S. parent company, and without exposure to U.S. law. Operations are governed exclusively by German and European law. Certified to BSI C5 and ISO 27001.
This makes SecureCloud an option for companies that want to mitigate the risks associated with a change in infrastructure class—not through paperwork surrounding an agreement that will likely end up before the European Court of Justice for the third time.
SecureShare for controlled data exchange, SecureWork for secure collaboration, and SecureSign for legally compliant digital signatures are built on this foundation. Anyone who wants to know exactly what a switch entails—which data, which processes, and what effort is required—can clarify this directly without any detours.