The US Supreme Court’s recent ruling in Trump v. Slaughter has triggered renewed scrutiny of the legal foundations underpinning EU–US data transfers, with potential long-term consequences for law firms, multinational clients, and legal tech providers relying on cross-border data flows.
At the centre of the issue is the status of the US Federal Trade Commission (FTC), a key enforcement body in the current EU–US Data Privacy Framework. According to analysis by privacy advocacy group NOYB (None of Your Business), the ruling calls into question whether the FTC can continue to function as a sufficiently “independent” authority under EU law standards—an essential requirement for the adequacy decision that allows personal data to flow from the EU to the US.
Source: NOYB, “US Supreme Court just blew up EU-US data transfers” (2026).
Why the FTC Matters
The EU–US Data Privacy Framework, adopted in 2023, relies heavily on US enforcement mechanisms—particularly the FTC—to ensure that European personal data receives protections equivalent to those under the GDPR.
If the FTC is no longer viewed as independent, this could undermine one of the framework’s central legal justifications. That, in turn, opens the door to fresh legal challenges in Europe.
A New Opening for Schrems—and Others
Privacy campaigner Max Schrems (left) and his organisation NOYB have already indicated they intend to challenge the current framework. This follows their successful dismantling of its predecessors:
- Schrems I (2015): Invalidated the Safe Harbor framework.
- Schrems II (2020): Struck down the Privacy Shield.
The latest US ruling may provide what some commentators see as the missing legal argument for a “Schrems III” challenge—namely, that US enforcement mechanisms fail to meet EU standards of independence and accountability.
Dr Ilia Kolochenko, founder of ImmuniWeb and a cybersecurity lawyer, (pictured above) says the decision could become a turning point:
“The ruling is unlikely to have an immediate effect on EU–US data transfers, but its long-term consequences could be significant, potentially marking a point of no return. It hands privacy advocates like NOYB and Max Schrems a strong new argument that US data transfers are now illegal.”
Limited Immediate Impact—but Growing Risk
Despite the legal uncertainty, practitioners should not expect immediate disruption. The current framework remains in force unless and until it is invalidated by the Court of Justice of the European Union (CJEU).
However, the risk profile has shifted. Law firms advising on cross-border data transfers—particularly those involving cloud services, legal tech platforms, or discovery processes—may need to reassess contingency measures, including:
- Standard Contractual Clauses (SCCs).
- Data localisation strategies.
- Transfer risk assessments.
Political and Regulatory Crosswinds
Unlike previous iterations of the dispute, the current environment is shaped as much by politics as by law.
- The European Commission has signalled a willingness to reduce regulatory burdens, with proposals such as a “Digital Omnibus” reform that may soften aspects of GDPR enforcement.
- The United States has warned that aggressive EU enforcement actions against US companies could trigger economic retaliation.
Kolochenko notes that this creates a delicate balancing act:
“The question is not only legal, but also political. If the EU acts imprudently, its own businesses may suffer from a deterioration of EU–US economic collaboration.”
What Happens Next
While another legal challenge to the EU–US Data Privacy Framework now appears likely, its outcome is far from certain.
There are two plausible scenarios:
- A third invalidation (Schrems III), leading to renewed disruption in transatlantic data flows.
- A negotiated adjustment to the framework, potentially less disruptive than previous collapses.
Kolochenko leans toward the latter:
“Another overhaul of the current EU–US data transfer regime is inevitable—however, hopefully this time it will be less radical and painful for businesses on both sides of the Atlantic.”
Practical Takeaway for Lawyers
For legal practitioners, the ruling is less an immediate compliance crisis than an early warning signal. The structural vulnerability of EU–US data transfer mechanisms remains unresolved—and may once again be heading for judicial review.
Firms advising clients in technology, finance, and cross-border operations should monitor developments closely and prepare for renewed uncertainty in one of the most litigated areas of international data law.
