Noyb says US Supreme Court ruling puts EU-US data deal under pressure

noyb is calling on the European Commission to begin an orderly withdrawal from the US data deal.

Noyb logo

The US Supreme Court ruled on Monday in Trump v. Slaughter that the Federal Trade Commission (FTC) may no longer be considered an independent agency, a decision that digital rights organisation noyb argues undermines the legal basis of the EU-US Data Privacy Framework.

According to noyb, the European Commission referred to the FTC’s independence 259 times in its 2023 adequacy decision because EU law requires oversight of personal data protection to be carried out by an independent authority.

The EU-US Data Privacy Framework, adopted by the European Commission in 2023, was the third such agreement since 2000, following the annulment of its two predecessors, Safe Harbour and Privacy Shield, by the Court of Justice of the European Union over concerns about US surveillance laws and the lack of judicial remedies available to EU citizens.

The Supreme Court’s ruling follows the unitary executive theory, under which the conservative majority held that the US President must retain authority over all executive bodies, rendering laws that grant agencies like the FTC independence unconstitutional. Because the EU-US framework’s legal structure depended heavily on the FTC’s independent status, noyb argues that the ruling removes a key legal pillar supporting the Commission’s adequacy decision.

Noyb has sent a formal letter to the European Commission calling for the adequacy decision to be repealed and said it intends to bring a case before the Court of Justice of the European Union seeking its annulment. According to the organisation, such proceedings could take two to three years.

The European Commission’s decision remains formally in force unless repealed by the Commission itself or annulled by the courts, meaning there is no immediate legal effect. However, noyb notes that companies relying on alternative transfer mechanisms such as Standard Contractual Clauses and Binding Corporate Rules are also affected, since these typically depend on impact assessments referencing the same US oversight mechanism that noyb argues have now been legally weakened, including the Privacy and Civil Liberties Oversight Board and the Data Protection Review Court.

Why does it matter?

The ruling introduces fresh legal uncertainty around the EU-US Data Privacy Framework, which underpins transatlantic transfers of personal data used by thousands of businesses. Although the framework remains in force, a successful legal challenge could once again force organisations to reconsider how they transfer data between the EU and the United States.

The case also illustrates the continuing fragility of transatlantic data transfer arrangements. It comes as European policymakers place greater emphasis on digital sovereignty and reducing dependence on foreign digital infrastructure, potentially adding momentum to broader debates over data governance, cloud services and regulatory autonomy.

Would you like to learn more about AI, tech and digital diplomacy? If so, ask our Diplo chatbot