Summary
- noyb says the EU-US Data Privacy Framework is weakened by a US Supreme Court ruling affecting FTC independence.
- The framework supports EU personal data transfers to certified US companies, including cloud, SaaS, analytics, and outsourcing providers.
- European organisations may need to revisit transfer risk, contract fallbacks, and dependence on US infrastructure if a formal challenge advances.
noyb has called on the European Commission to withdraw the EU-US Data Privacy Framework after a US Supreme Court ruling raised doubts over the independence of the Federal Trade Commission.
The privacy group argues that the decision in Trump v. Slaughter weakens one of the legal assumptions behind transatlantic data transfers. The European Commission’s adequacy decision for the EU-US Data Privacy Framework allows personal data to flow from the EU to participating US companies without additional transfer authorisations, provided those companies meet the framework’s requirements.
The FTC has long been central to US enforcement of transatlantic privacy arrangements. noyb says the latest ruling undermines the agency’s independence, and therefore weakens the credibility of the safeguards relied on by the EU. The group has written to the Commission asking it to act, arguing that independent oversight is a condition of lawful adequacy under EU law.
The ruling did not decide a privacy case and did not directly address international data transfers. Its effect is indirect, but it reaches a sensitive part of the framework. If US enforcement bodies can be made more politically dependent on the executive, European privacy campaigners will argue that the US no longer provides the independent supervision assumed in the adequacy decision.
The immediate legal position for companies is unchanged. The Data Privacy Framework has not been withdrawn, invalidated, or suspended. Certified US providers remain able to rely on it, and European customers are not required to stop using it. The exposure sits in legal durability rather than operational availability.
That durability is central to procurement, cloud strategy, outsourcing, and regulated-sector governance. European organisations have built major parts of their operating models around US cloud, SaaS, analytics, security, HR, collaboration, and customer platforms. A successful legal challenge would affect data mapping, vendor assessment, contract terms, localisation choices, exit planning, and the cost of maintaining defensible transfers.
Standard contractual clauses and binding corporate rules may remain available in many transfer scenarios, but they do not remove the need to assess foreign-law access risks. If the US oversight environment is judged to weaken independent supervision, those assessments become harder, especially where sensitive personal data, employee monitoring, health information, financial data, public-sector workloads, or regulated operational data are involved.
The Commission has already seen two earlier EU-US transfer mechanisms fall. Safe Harbor and Privacy Shield were invalidated after legal challenges driven by concerns over US surveillance and redress. The Data Privacy Framework was designed to address those failures through new safeguards, redress mechanisms, and certification obligations. The latest challenge focuses on agency independence, but it still goes to whether the enforcement architecture can meet EU standards.
UK organisations sit outside the EU framework’s direct legal structure after Brexit, although the operational exposure remains close. Many UK businesses use the same US platforms as EU organisations, run shared European operating models, or process EU customer and employee data. Any destabilisation of the EU framework would create contractual and governance friction that crosses borders quickly.
The next stage will depend on the Commission’s assessment and whether noyb or another claimant brings a formal challenge before EU courts. Until then, reliance on US infrastructure may remain lawful, while the stability of that reliance faces renewed scrutiny.





