No, the Supreme Court Did Not Just Kill the EU-U.S. Data Privacy Framework

Table of Contents

Within hours of the U.S. Supreme Court’s June 29, 2026 decision in Trump v. Slaughter — which struck down the for-cause removal protections shielding FTC commissioners and overruled the 1935 precedent Humphrey’s Executor — the hot takes started flying. If the president can now fire FTC commissioners at will, the argument went, then the same logic must apply to the Data Protection Review Court, the redress body at the heart of the EU-U.S. Data Privacy Framework. And if the DPRC’s independence falls, trans-Atlantic data transfers fall with it.

It’s a scary story, and if your business depends on moving personal data from the EU to the U.S., you’ve probably seen some version of it in your feed. But a close reading of what the Supreme Court actually decided — laid out in detail by privacy scholars Théodore Christakis, Kenneth Propp, and Peter Swire in a recent IAPP analysis — shows the doomsday claim doesn’t hold up. Here’s why the DPF’s redress mechanism remains standing, and why your transfers remain lawful today.

Two Different Frameworks Inside One Adequacy Decision

The EU’s adequacy decision for the U.S. has two distinct dimensions, and conflating them is where most of the panic comes from. The commercial dimension covers the obligations of DPF-certified companies and their supervision by the FTC. The government access dimension covers surveillance — the limits, safeguards, and redress available to EU individuals when U.S. intelligence agencies access their data. That second dimension is the one that both Schrems I and Schrems II turned on, and it’s the one the DPRC exists to satisfy.

Trump v. Slaughter is about the FTC. The FTC has never had any jurisdiction over national security or signals intelligence. So whatever questions the decision raises for the commercial oversight side — and there are real questions there, still being analyzed — the ruling can only touch that side. The surveillance redress architecture that the European courts actually care most about is a separate structure, built on a separate legal foundation.

Why the DPRC Is Built Differently Than the FTC

The claim that Slaughter “applies equally” to the DPRC misses how the DPRC was constructed — deliberately — to avoid exactly this kind of constitutional attack. The FTC commissioners’ independence rested on a congressional statute limiting the president’s removal power. That is precisely what the Supreme Court struck down: Congress restricting the executive.

The DPRC’s independence rests on something else entirely: the executive binding itself. It was created by Executive Order 14086 and a Department of Justice regulation that govern how its judges are appointed, supervised, and removed — only for cause, on enumerated grounds. Under long-standing Supreme Court authority, including United States v. Nixon and Accardi v. Shaughnessy, the executive branch is bound by its own regulations for as long as they remain in force, and those regulations can’t be repealed by fiat — only through the same public, reasoned process used to adopt them. Notably, the Slaughter majority didn’t disturb Nixon; it cited it approvingly as proof the president “is not all powerful.”

Three independent shields emerge from the decision itself. First, Slaughter targets congressional limits on removal, not the executive’s self-imposed ones — and the DPRC’s protections are self-imposed. Second, the Court expressly reserved the question of tenure protections for adjudicators on non-Article III courts, which is exactly what the DPRC is. A decision that explicitly leaves a question open can’t be read as answering it. Third, the Court preserved the Morrison v. Olson and Perkins line of cases allowing for-cause protection for inferior officers — and DPRC judges, appointed by the attorney general with narrow, defined jurisdiction, fit that profile. Any one of these grounds is enough on its own.

The Overlooked Safety Net: SCCs Don’t Depend on the FTC Either

There’s a structural point in the analysis that deserves more attention than it’s gotten. Most EU-to-U.S. transfers don’t even run under the DPF — they run under standard contractual clauses and binding corporate rules. Those instruments never depended on FTC oversight. What Schrems II made decisive for SCCs was government access to data, and the safeguards created by Executive Order 14086 — including the DPRC redress mechanism — protect transfers under any instrument, not just DPF-certified ones.

So even in a worst-case scenario where the adequacy decision were someday invalidated over the commercial oversight question, companies could continue transferring data under SCCs and BCRs, relying on the very government-access safeguards that Slaughter leaves intact and that the EU General Court upheld in Latombe v. Commission. The only failure that would truly be fatal to trans-Atlantic transfers is a failure on the surveillance side — and that’s the side this decision doesn’t reach.

What This Means for Your Business Right Now

The practical position is unchanged. The adequacy decision remains in force. Transfers under the DPF remain lawful. Your SCCs remain valid. If you’re DPF-certified, your certification obligations continue, and there’s no need to rip up your transfer mechanisms based on headlines.

That said, “unchanged today” isn’t the same as “nothing to watch.” The commercial oversight questions Slaughter raises for the FTC’s role are real and unresolved, the Latombe judgment is under appeal, and European regulators are paying close attention. Smart companies will use this moment to confirm they know exactly which legal basis each of their trans-Atlantic data flows relies on — DPF certification, SCCs, BCRs — and to make sure fallback mechanisms are documented, not assumed. The businesses that struggled most after Schrems II were the ones who couldn’t map their own transfers.

Want to know exactly which transfer mechanisms your data flows rely on and whether your fallbacks would hold up? Contact Captain Compliance today for a free compliance assessment.

Written by: 

Online Privacy Compliance Made Easy

Captain Compliance makes it easy to develop, oversee, and expand your privacy program. Book a demo or start a trial now.