US ruling ‘could hit EU data-transfer deal’
(Pic: Shutterstock)

02 Jul 2026 data law Print

US ruling ‘could hit EU data-transfer deal’

Lawyers at Matheson have warned that a US Supreme Court ruling earlier this week could have a knock-on effect on a data-transfer agreement between the EU and the US.

The US’s highest court held that the country’s president had the constitutional authority to remove leaders of independent agencies or commissions without the need to establish cause.

In the case of Trump v Slaughter, the court had been asked to rule on the legality of President Donald Trump’s dismissal of Rebecca Slaughter, a Democratic commissioner of the Federal Trade Commission (FTC).

EU’s 2023 decision

In an analysis on the firm’s website, the Matheson lawyers say that the court may have called the independence of the FTC into question.

They point out that the EU-US Data Privacy Framework (DPF) is one of the main legal mechanisms enabling the transfer of personal data from the EU to the US, since the European Commission issued its adequacy decision in July 2023.

Previous data-transfer frameworks had fallen foul of the EU’s Court of Justice, which found that US surveillance law and the absence of genuine redress mechanisms meant that EU data subjects had not been afforded an essentially equivalent level of protection in respect of their personal data in the US.

“The adequacy decision underpinning the DPF is based, in material part, on the independence and effectiveness of US oversight and enforcement mechanisms, to ensure EU data subjects are afforded an essentially equivalent level of protection in respect of their personal data,” Matheson states.

FTC’s ‘central role’

It adds that the FTC occupies a “central role” in this framework, having responsibility for enforcing DPF commitments made by US companies and providing an avenue of redress for EU individuals.

“If FTC commissioners (or the leaders of other independent bodies) can be removed at the order of the US president, it is arguable that such agencies are no longer independent supervisory authorities in the manner required under EU law,” the Matheson lawyers continue.

They point out that the CJEU’s judgments in Schrems I and Schrems II make clear that effective independence of oversight bodies is a prerequisite for any finding of adequacy.

Challenge

Matheson says that, while the ruling does not immediately invalidate the DPF, privacy advocacy group NOYB, founded by Max Schrems, has already announced plans to challenge the DPF in the CJEU.

The firm adds that the European Commission may also review the adequacy decision of its own volition if it is of the opinion that EU data subjects are no longer provided with an equivalent level of personal data protection in the US.

Matheson’s lawyers urge businesses who rely on the DPF not to wait to see how the situation plays out before taking action.

They say that firms should review their transfer mechanisms and assess current fallback mechanisms such as EU Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs).

Gazette Desk
Gazette.ie is the daily legal news site of the Law Society of Ireland

Copyright © 2026 Law Society Gazette. The Law Society is not responsible for the content of external sites – see our Privacy Policy.