Noyb urges immediate Commission action as FTC independence is called into question — businesses relying on DPF for transatlantic data flows should prepare contingency plans now.
Privacy activist Max Schrems and his organization noy b are once again positioning themselves at the center of transatlantic data politics. On the heels of a landmark US Supreme Court decision, noy b announced plans to launch a fresh legal challenge to the EU-US Data Privacy Framework (DPF), potentially setting the stage for “Schrems III” at the Court of Justice of the European Union (CJEU).
In a letter to the European Commission, noy b is urging an immediate exit from the DPF, arguing that recent developments have fatally undermined one of its core pillars: the independence of US oversight bodies, particularly the Federal Trade Commission (FTC).
The Trigger: US Supreme Court Ruling on FTC Independence
The catalyst is Monday’s Supreme Court decision siding with President Trump’s authority to dismiss FTC Commissioner Rebecca Slaughter. This ruling, combined with other administration actions reshaping independent agencies, has led European privacy experts to question whether the FTC can still be considered sufficiently independent for the purposes of the EU’s adequacy decision underpinning the DPF.
The DPF, adopted in July 2023, was designed to provide a stable mechanism for lawful EU-to-US personal data transfers after the invalidation of its predecessors (Safe Harbor and Privacy Shield) in Schrems I and II. Central to its legitimacy is the existence of effective, independent redress mechanisms and oversight in the US.
“The Supreme Court’s decision cements the case for tearing up the DPF.”
— noy b (via Euractiv reporting)
Why This Challenge Could Succeed Where Others Hesitated
While another DPF challenge (the Latombe case) is already pending before the CJEU, Schrems’ team sees the FTC ruling as opening a clearer pathway for a new referral. Noyb plans to file its challenge in the coming weeks, seeking to bring the matter directly before Europe’s highest court.
This is familiar territory for Schrems, whose prior cases fundamentally reshaped global data transfer rules. Businesses should not dismiss this as mere activism — history shows these challenges carry real weight.
Timeline of Transatlantic Data Drama
- 2015: Schrems I — Safe Harbor invalidated
- 2020: Schrems II — Privacy Shield struck down
- 2023: DPF adopted as new adequacy mechanism
- 2026: Potential Schrems III amid FTC independence concerns
Practical Implications for Businesses
Organizations relying on the DPF for EU-US data transfers — including cloud providers, SaaS companies, multinational corporations, and those involved in AI/data processing — face heightened uncertainty:
Immediate Risks
- Potential suspension or invalidation of DPF certifications, forcing a shift to Standard Contractual Clauses (SCCs) + supplementary measures (including Transfer Impact Assessments).
- Increased regulatory scrutiny from EU Data Protection Authorities (DPAs) during investigations or complaints.
- Reputational and operational disruption if mass data transfer mechanisms are disrupted.
Strategic Recommendations
- Conduct a DPF Dependency Audit: Map all data flows relying on the framework and assess alternatives.
- Strengthen Supplementary Measures: Enhance encryption, data minimization, contractual protections, and TIAs to withstand potential Schrems-style scrutiny.
- Monitor CJEU Developments Closely: Cases can move faster than expected once referred.
- Engage with Industry Groups: Collective advocacy for clearer EU guidance or negotiations for DPF reforms could mitigate impacts.
- Prepare for a Multi-Mechanism World: Diversify transfer tools (Binding Corporate Rules, derogations where applicable) and localize critical data where feasible.
Broader Context: EU-US Privacy Relations Under Strain
This challenge arrives amid wider tensions in the transatlantic relationship, including AI governance divergences, export controls, and differing approaches to tech regulation. While the DPF was hailed as a pragmatic compromise, its reliance on US administrative independence has always been a vulnerability — one that Schrems has now targeted with precision.
The European Commission will likely defend the framework vigorously, but noy b’s track record suggests businesses cannot afford complacency. A multi-year legal battle could create prolonged uncertainty, similar to the post-Schrems II period.
Navigating Transatlantic Data Compliance?
Captain Compliance helps organizations assess DPF exposure, implement robust transfer mechanisms, and build future-proof privacy architectures amid evolving EU-US dynamics.