The United States Supreme Court’s decision in Trump v. Slaughter significantly alters the constitutional framework governing independent regulatory agencies and may have implications for transatlantic personal data transfers.

The six-to-three decision overturns Humphrey’s Executor v. United States, a 1935 case establishing that Federal Trade Commission (FTC) commissioners could be removed by the President only for cause. Learn more about how the ruling reshapes and clarifies the relationship between the President and most independent agencies in this DLA Piper client alert.

According to the Court’s ruling in Trump v. Slaughter, officials who exercise executive power are subject to presidential superintendence, including the President’s power of removal. As a result, agency leadership and policy direction may become more closely aligned with changes in presidential administrations. Among the agencies affected by the decision is the FTC, which enforces compliance with privacy standards in personal data transfers between the European Union and the US.

In this alert, we discuss how the Trump v. Slaughter decision may affect the regulation of transatlantic data transfers within the context of the EU–US Data Privacy Framework (DPF).

Link to Potential impact on international data transfers Potential impact on international data transfers

Link to The EU–US Data Privacy Framework The EU–US Data Privacy Framework

The constitutional changes arising from Trump v. Slaughter could carry implications for the current DPF and the legal mechanisms underpinning transatlantic data flows.

The transfer of personal data from the EU and the United Kingdom to the US has been a contentious legal issue for more than two decades.

The Court of Justice of the EU (CJEU) annulled two previous European Commission decisions due to concerns about US surveillance laws and the lack of judicial remedies in the US. The so-called Schrems I and Schrems II decisions invalidated the US–EU Safe Harbor Framework in 2015 and the EU–US Privacy Shield Framework in 2020, respectively.

The US–EU Safe Harbor Framework required participating US companies to self-certify to the US Department of Commerce that they complied with the Safe Harbor privacy principles. The EU–US Privacy Shield Framework subsequently provided a legal mechanism for companies to transfer personal data from the EU to the US.

In 2023, the European Commission issued the DPF, a third EU–US deal that permits the transfer of personal data to US organizations that have self-certified their compliance with the framework’s principles through the US Department of Commerce.

The DPF was predicated on the provision of independent and binding redress mechanisms for EU individuals whose personal data is processed by US intelligence agencies. The FTC is a central part of that oversight architecture.

Link to The independence requirement under EU law The independence requirement under EU law

EU treaty law, namely Article 16(2) of the Treaty on the Functioning of the EU and Article 8(3) of the Charter of Fundamental Rights of the EU, requires that:

  • The oversight of data protection matters must be done by an independent authority, and
  • When assessing the adequacy of third countries to which data subject to the General Data Protection Regulation (GDPR) can be transferred, the existence and effective functioning of independent supervisory authorities is a critical factor.

Link to Looking ahead Looking ahead

It remains to be seen whether the European Commission will elect to repeal the DPF. The DPF has an in-built review mechanism, the first of which took place in 2024, which established a four-year cycle for further reviews – meaning a review would not be expected until 2028.

An out-of-cycle review could prove time-consuming against the backdrop of increased digital sovereignty in the EU. A separate challenge to the DPF by Member of French Parliament Philippe Latombe, while initially rejected by the EU General Court, remains under appeal to the CJEU.

In the meantime, businesses relying on the DPF for their transatlantic transfer programs are encouraged to continue monitoring the evolving situation and maintain backup transfer solutions.

For more information, please contact the authors or your DLA Piper attorney.