In March 2025, we asked where the EU-U.S. Data Privacy Framework (DPF) stood and whether it would survive the year. It did, but the questions surrounding it never went away. Our Chief Privacy Officer even argued at the time that the framework was doomed by design.
A recent decision by the US Supreme Court has brought those questions back to the front page. On June 29, 2026, the Court ruled that the US President can dismiss Federal Trade Commission (FTC) commissioners at will, a decision that directly concerns the agency the European Commission relies on to oversee EU-U.S. data transfers. Within days, privacy advocacy group noyb, led by Max Schrems, called on the Commission to withdraw the adequacy decision underpinning the DPF and announced a lawsuit before the Court of Justice of the European Union (CJEU).
If that lawsuit results in the invalidation of the DPF, it would follow Schrems I and Schrems II as the third judicial strike against an EU-U.S. data transfer agreement, in other words, a potential Schrems III. In this article, we cover what happened, what it could mean for your organization, and how to prepare.
What just happened in the United States: Trump v. Slaughter explained
On paper, Trump v. Slaughter is a case about the structure of the US government, not about data privacy.
The Supreme Court struck down the statute under which FTC commissioners could only be removed for cause, overruling its own 1935 precedent in Humphrey's Executor v. United States. In practice, this means the President can now dismiss commissioners at will, ending the structural independence the agency had maintained for over 90 years. The ruling follows the unitary executive theory, under which all US executive bodies must answer to the President.
The connection to data transfers is direct. Since 2000, the United States has designated the FTC as the privacy regulator responsible for enforcing EU-U.S. data transfer arrangements, precisely because it was considered independent.
With the Supreme Court removing the FTC's independence, the central enforcement pillar of the framework no longer matches the description on which the European Commission based its decision.
Why the ruling threatens the EU-U.S. Data Privacy Framework
EU law requires independent oversight of data protection, as stated in both the Treaty on the Functioning of the European Union and the Charter of Fundamental Rights. For a third country to receive an adequacy decision, it must offer protections that are "essentially equivalent" to those guaranteed in the EU, including independent oversight.
Crucially, the EU constitutional framework requires independent oversight. The only way to change this would be a unanimous vote by all EU Member States to change the EU treaties.
- Max Schrems, Honorary Chairman of noyb, privacy lawyer, author, and speaker (source: US Supreme Court just blew up EU-US Data Transfers, noyb)
This is the same structural weakness that brought down the DPF's predecessors. The CJEU invalidated the Safe Harbor Agreement in 2015 (Schrems I) and the Privacy Shield in 2020 (Schrems II), both times over concerns about US surveillance practices and the lack of effective safeguards for Europeans. We covered this history in detail in our 2025 overview of the DPF.
noyb has now sent a formal letter to the European Commission asking it to repeal the adequacy decision and has announced a lawsuit seeking to have the CJEU annul it. Our Chief Privacy Officer, Thomas Adhumeau, saw this coming over a year ago:
It would be naïve to think that the Data Privacy Framework will stand. Businesses must start preparing now, rather than waiting for the official announcement that will, as always, trigger a wave of panic.
- Thomas Adhumeau, Chief Privacy Officer at Didomi (source: EU-U.S. Data Privacy Framework (DPF): Where do we stand in 2025?, Didomi blog, March 2025)
Now that it seems a Schrems III could happen, what are the implications for businesses, and how should they prepare?
What this means for your business right now
The most important thing to understand is that nothing changes overnight. The adequacy decision remains formally in force until the European Commission repeals it or the CJEU annuls it. Data transfers carried out under the DPF today are not suddenly unlawful.
That said, two developments deserve close attention.
The first is the European Commission's response. The Commission built the DPF on the premise of independent US oversight, and it will eventually have to address the fact that this premise has eroded. Whether that takes the form of a press release, a renegotiation, or a formal withdrawal remains to be seen, and we would not expect an immediate response.
The second concerns companies that assume they are unaffected because their transfers rely on Standard Contractual Clauses (SCCs) rather than on the DPF itself. noyb argues that the ruling also weakens the risk assessments underpinning those arrangements. Without diving into the legal details, the point is that relying on SCCs does not make this news irrelevant to your organization.
What you should do is exactly what the next section covers.
How to prepare for a possible Schrems III scenario
Whatever happens next, a potential invalidation of the DPF doesn’t mean European companies need to abandon US providers, or that US companies should expect to lose their European customers. But it does mean that organizations should not depend on a single legal mechanism for their trans-Atlantic data flows.
In practice, preparation comes down to three complementary options:
1. Map your data flows and refresh your transfer impact assessment
You cannot manage exposure you have not measured. It is therefore crucial to identify which of your vendors and tools transfer personal data across the Atlantic, on what legal basis, and what would happen if that basis were to disappear.
Transfer impact assessments were once a weeks-long exercise, but modern tooling has considerably reduced the effort, making them far more manageable than they used to be.
2. Put a backup transfer mechanism in place
If your transfers rely solely on the DPF, negotiate SCCs with your key providers now, so that an invalidation does not leave you without a legal basis.
SCCs should go hand in hand with an up-to-date transfer impact assessment, but they remain the most established fallback option, with precedent for their resilience. When Schrems II struck down the Privacy Shield in 2020, the CJEU explicitly upheld the validity of SCCs in the same ruling, and they are what kept data flowing until the DPF arrived.
3. Take control of your data flows
The most resilient data flow is the one you actively govern. Adopting server-side infrastructure gives you a single point of control over what data is shared with third parties, in what form, and where it goes, rather than leaving those decisions to the dozens of tags firing in a browser.
That logic holds on both sides of the Atlantic. And should the DPF fall, the question of where your data goes is one you will already have answered yourself, rather than one a court answers for you.
The road to a potential Schrems III
We anticipated in 2025 that the DPF would face an existential challenge, and events continue to point in that direction. Whether the framework actually falls, however, is not a foregone conclusion. That decision now sits with the European Commission, which could withdraw or renegotiate the adequacy decision, and with the CJEU, which could annul it, uphold it, or dismiss the case altogether.
The timing is just as open. By noyb's own estimate, court proceedings typically take two to three years to reach a final decision, but the European Commission is not bound by that calendar and could act at any moment. Organizations may have years to prepare, or far less, and our recommendations hold either way. We will continue to cover developments as they unfold.
In the meantime, the best position to be in is the one where a Schrems III ruling, whenever and however it lands, is a legal formality for your organization rather than an emergency. If you want to discuss what a resilient data transfer setup looks like for your organization, from consent management to server-side infrastructure, book a chat with our team:
{{talk-to-an-expert}}

.png)






.avif)





