The legal framework governing EU–US personal data transfers has never been free from controversy. It is the third major attempt to stabilise transatlantic personal data transfers after Safe Harbor and Privacy Shield, both of which were invalidated by the Court of Justice of the European Union (“CJEU”). While the General Court’s judgment in Latombe v. Commission recently, upheld the latest framework, the EU-US Data Privacy Framework (“DPF”), it did not bring the wider debate surrounding the framework’s long-term durability to an end. The judgment confirmed the framework’s validity by reference to the position at the time of the Commission’s adequacy decision, leaving open the relevance of subsequent developments in United States (“US”) law.
That uncertainty has now returned from a different angle. The recent US Supreme Court decision in Trump v. Slaughter has prompted many to argue that one of the DPF’s key institutional safeguards has been undermined. As expected, Maximilian Schrems (the same Schrems as Schrems I and II) sent a formal letter to the European Commission to prepare an orderly withdrawal of its US adequacy decision and indicated that they intend to bring a legal challenge before the EU courts, potentially setting the stage for what many are already calling “Schrems III”.
Click here to read more on Latombe v. Commission.
The US Supreme Court delivered its judgment in Trump v. Slaughter on 29 June 2026. Although the case did not concern data protection directly, it addressed the constitutional structure of the US executive and the degree of independence that may be afforded to the federal agencies including the Federal Trade Commission ("FTC").
In brief, the case concerned the President’s power to remove FTC Commissioners. The Supreme Court held that the statutory restriction allowing removal for “inefficiency, neglect of duty, or malfeasance in office” was unconstitutional, on the basis that the FTC exercises executive power and must therefore be subject to presidential control.
The European Commission’s adequacy decision for the DPF, relies significantly on the FTC as an independent enforcement authority. The Commission’s decision refers extensively to the FTC extensively as being a key supervisory body responsible for monitoring and enforcing compliance by certified US organisations.
Under the EU data protection acquis, the Commission must consider whether the third country has one or more independent supervisory authorities which function effectively. Salient functions include enforcing compliance with data protection law and cooperation with EU supervisory authorities.
In the context of an adequacy decision under Article 45 GDPR, the Commission must also be satisfied that the third country in question ensures a level of protection for personal data that is essentially equivalent to that guaranteed within the European Union.
The principal argument now being raised is that, following Trump v. Slaughter, the FTC can no longer be regarded as sufficiently independent for these purposes. If correct, this would call into question one of the institutional safeguards on which the Commission relied when adopting the DPF adequacy decision.
Latombe remains relevant, albeit only to a limited extent. In that case, the General Court upheld the DPF against the specific pleas raised before it, including arguments concerning the independence of the Data Protection Review Court. It did not, however, give the framework a blanket endorsement against future developments in US law. Indeed, the General Court also noted that the Commission must monitor the US legal framework on an ongoing basis and may suspend, amend or repeal the adequacy decision if that framework changes. Trump v. Slaughter may therefore be understood as a subsequent development to be assessed against that continuing monitoring obligation.
Despite these present concerns, the DPF remains fully in force at the time of writing. The framework will continue to apply unless the European Commission withdraws its adequacy decision, or the CJEU annuls it following a successful legal challenge, as previously seen.
Accordingly, organisations relying on the DPF may continue transferring personal data from the EU to the US without implementing additional transfer mechanisms.
The issues raised by Trump v. Slaughter may become relevant when carrying out or updating Transfer Impact Assessments, particularly where those assessments rely on the continued effectiveness and independence of the US oversight mechanisms.
Whether the European Commission accepts that the judgment affects its adequacy decision remains to be seen. Equally, it is uncertain whether the CJEU would ultimately conclude that developments in US constitutional law undermine the level of protection required under Article 45 GDPR.
Whether Trump v. Slaughter will ultimately trigger a "Schrems III" remains yet to be seen. What is clear, however, is that the debate surrounding the long-term stability of the EU–US Data Privacy Framework and the future of transatlantic data transfers is far from settled.
International personal data transfers are not a straightforward exercise. GTG is here to help. Kindly contact us at info@gtg.com.mt
Authors: Dr J.J. Galea and Dr Mattea Pullicino