A US Supreme Court ruling has undermined the EU-US Data Privacy Framework, which allows the flow of personal data between Europe and the US. What next?
A US Supreme Court ruling has undermined the EU-US Data Privacy Framework, which allows personal data to move between Europe and the US.
Yesterday, in Trump versus Slaughter, US Supreme Court ruled that the Federal Trade Commission’s (FTC’s) independence is unconstitutional. This is because, as the Vienna-based privacy protection group noyb explains, the decision “follows the ‘unitary executive theory’ that the US President must have power over all US executive bodies, declaring all US laws that make various agencies independent to be unconstitutional.”
Why does this matter? Because since 2000, the EU has relied on the FTC to enforce EU-US deals on personal data and, in EU law, that oversight must be carried out by an independent body.
Default position except when…
Since 1995, the EU’s default position is to forbid the export of its citizens’ personal data overseas to stop parties getting round its privacy rules simply by sending data to countries outside the EU.
There are exceptions for the transfer of personal information, such as for hiring a car or hotel in the US, to far more complex transactions. EU companies tend to outsource the processing of personal data in such circumstances to US cloud providers.
Benjamin Schilz, CEO of Wire and an expert on digital sovereignty says, “The latest US ruling…should be a wake-up call for European organisations relying on US-controlled cloud and collaboration infrastructure.
“Europe has repeatedly tried to solve a structural sovereignty problem with legal workarounds. Safe Harbor failed. Privacy Shield failed. And now the EU-US Data Privacy Framework is facing a fundamental question of relevance because one of its key assumptions, independent US oversight, has been legally dismantled.”
Wire says it has been in the middle of Europe’s discussions about digital sovereignty, with the President of Germany’s Bundestag to encourage its MPs to use Wire’s platform to create a more sovereign and security-certified communications infrastructure.
No abstract debate – there are real-world consequences
Schilz continues, “This is not an abstract legal debate. It concerns the sensitive communications of governments, critical infrastructure providers, regulated industries and enterprises across Europe. The consequences are concrete: companies relying on standard contractual clauses or binding corporate rules will have to reassess their transfer risk exposure, while the legal fallback Europe was pointed to, the Data Protection Review Court, remains a mechanism within the US Department of Justice and rests on an executive order that can be changed or revoked.”
Way into the second Trump term, surely it’s surprising that anybody is surprised by this? As Persuasion pithily stated in March 2025, “…the extent to which the administration has set out to antagonize its longstanding allies on the other side of the Atlantic is astounding.”
“Until European courts provide clarity, businesses face prolonged legal uncertainty rather than a stable foundation to build on,” Shilz says. “If business-critical collaboration depends on frameworks that rest on the whims of political decision makers in Washington, organisations are not operating with digital sovereignty. They are operating with unconstrained operational risk.
“Sovereignty is not only about where data is stored. It is about who controls the infrastructure, which jurisdiction applies, and whether data and communication are protected by design. Europe must stop outsourcing trust. Critical content and communications should be secured, governed, and auditable under European rules.”


