Mon 06 Jul 2026 / 14:14 ET
Kernel
Security 4 min read

Supreme Court ruling puts EU-US data transfer pact under pressure

Privacy activist Max Schrems says he will challenge the data pact after the court backed presidential removal of an FTC commissioner.

Dana Voss

By Dana Voss / Security Correspondent

Supreme Court ruling puts EU-US data transfer pact under pressure
img: The Record

A U.S. Supreme Court ruling on presidential control over the Federal Trade Commission has opened a new legal attack on the EU-U.S. Data Privacy Framework, the agreement that lets companies move Europeans’ personal data to the United States.

Max Schrems, founder of the Vienna-based privacy group noyb, told European officials in a Tuesday letter that he plans to sue to invalidate the framework. His argument is blunt: the deal depends on independent U.S. oversight, and the Supreme Court has now weakened the claim that the FTC can supply it.

The European Commission adopted the current framework in 2023 after earlier EU-U.S. data transfer arrangements were struck down. The framework was designed to answer European concerns about U.S. government access to personal data. A central part of that arrangement is oversight by an independent U.S. body to ensure transfers are controlled and limited. According to Schrems, the FTC has been the main agency filling that role.

On Monday, the Supreme Court held that President Donald Trump acted lawfully when he removed FTC Commissioner Rebecca Slaughter without cause. For Schrems, that decision changes the legal footing of the framework because an agency whose members can be fired at will by the president is harder to describe as independent.

“The basis for any EU-US data transfer deal is dead,” Schrems said in a statement released by noyb. He urged the European Commission to begin what he called an “orderly exit from the U.S. cloud,” adding that the move would be difficult but, in his view, unavoidable.

Schrems has beaten previous EU-U.S. data transfer systems in court, and noyb says the European Union relied on the FTC’s independence 259 times in decisions under the current framework.

Regulators start reviewing the damage

The European Commission has not publicly laid out a plan for handling the ruling. Commission spokesperson Markus Lammert told Politico Europe that officials had “taken note” of the Supreme Court decision and would examine what it means for the EU-U.S. agenda.

The European Data Protection Board, made up of privacy regulators from across Europe, also said it was reviewing the decision and its possible effect on the oversight mechanisms behind the data framework, according to Politico Europe. The board said the independence of the body overseeing U.S. use of Europeans’ data is central to the framework’s legitimacy.

The board cannot revoke or rewrite the framework. That power belongs to the European Commission. Its members’ views still carry weight in the privacy fights that tend to end up before the Court of Justice of the European Union.

Schrems wants the European Union to suspend transfers while litigation plays out, a process that could take years. A separate challenge is already pending: French parliamentarian Philippe Latombe has asked the EU court to invalidate the framework. In a LinkedIn post Tuesday, Latombe called on Commission President Ursula von der Leyen to cancel the framework immediately, saying it can no longer be legal.

Companies face an expensive compliance problem

If Schrems or Latombe succeeds, the decision could disrupt routine data flows between Europe and the United States. Meta and Google have previously said they would leave Europe if they could no longer transfer data to the U.S. Experts cited by The Record say the framework supports €1.7 trillion, or about $1.9 trillion, in annual transatlantic trade.

Joe Jones, director of research and insights at the International Association of Privacy Professionals, said the Commission is in a tight spot because it cannot interpret U.S. law differently from the U.S. Supreme Court. He said officials would have to explain either why diminished independence is acceptable under the framework, or what they intend to do if it is not.

Jones said about a quarter of Meta’s advertising revenue comes from the European Union. Without U.S. transfers for ad targeting, he said, Meta would have to build European storage infrastructure or deal with a more complex compliance model. He pointed to TikTok’s ongoing data infrastructure buildout in Ireland, which he said has taken substantial time and cost more than $10 billion.

This story draws on original reporting from The Record.

More Security/

view all ↗