Subjects
Jurisdictions

USA and EU: Supreme Court Decision and Data Transfers

The recent decision of the US Supreme Court in the case of Trump v Slaughter may have unintended consequences for the transfer of personal data from the EU to the US.

The Decision

President Tump had dismissed Rebecca Slaughter as a Democratic commissioner of the Federal Trade Commission (FTC) without cause. The legality of that use of Presidential power was challenged on grounds that it was an unconstitutional use of power over a supposedly independent agency. The Supreme Court ruled that the President has the power to remove leaders of independent agencies without showing cause. This decision obviously brings into question the independence of the FTC itself.

The Data Protection Background

The current EU-US Data Privacy Framework (DPF) is the main legal mechanism permitting personal data transfer between the EU and the US. It followed the European Court of Justice’s (ECJ) invalidation of both Safe Harbour (2015) and Privacy Shield (2020) after the two Schrems cases. In the Schrems cases, the ECJ found mainly that EU data subjects were not given an essentially equivalent level of protection in the US, particularly in relation to surveillance and redress. 

The DPF was designed to address the adequacy points in the Schrems cases. A key element of the DPF is the independence of US oversight and the enforcement of the legal protections afforded to EU personal data. The FTC is central to this role. They have the responsibility for enforcing the commitments of US companies and providing a route to redress for EU citizens who suffer violation of their data rights.     

If the FTC can no longer be regarded as an independent agency, the DPF, as an adequate protector for EU personal data in the US, comes into question. There are already indications that the DPF will be challenged, whether via the ECJ or by the EU Commission itself.

What Now?

For now, the Supreme Court decision has no immediate impact on EU-US data transfer. Businesses relying on the DPF to transfer EU personal data to the US, can continue to do so.  However, it may be prudent to anticipate the end of the DPF.  Suggested actions are for now:

  • Make sure you know which data flows currently depend on DPF certification;
  • Watch for developments and possible challenges to DPF validation.

Alternatives to the DPF?

The current fall-back options, should DPF fail, are principally “EU Standard Contractual Clauses” or “Binding Corporate Rules”, both of which come with significant administrative challenges and costs.   

This is a high-level general update only. Legal advice should be obtained on specific circumstances.


Scroll to Top