CIPA Litigation Prevention Guide

Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.

Thank you!
Please check your email to view the guide.

Noyb urges EU to withdraw from the EU-US Data Privacy Framework after Trump v. Slaughter decision

July 6, 2026
5
 mins read
Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm
Noyb urges EU to withdraw from the EU-US Data Privacy Framework

On June 29, 2026, the US Supreme Court ruled in Trump v. Slaughter that the President can remove Federal Trade Commission (FTC) commissioners at will, leading the privacy group noyb to write to the European Commission urging an “orderly withdrawal” from the EU-US Data Privacy Framework (DPF).

  • In a 6-3 decision, the Court overruled the 1935 Humphrey's Executor precedent and held that the statutory "for cause" protection for FTC commissioners is unconstitutional, stripping the FTC of its independence
  • The EU-US DPF relies on the FTC as an independent supervisory authority, referring to it 259 times, so noyb argues the adequacy decision's foundation has collapsed against Article 16(2) TFEU and Article 8(3) of the Charter, which require independent oversight
  • noyb has asked the Commission to plan an orderly repeal of the adequacy decision with transition periods, and has threatened a court challenge that could become "Schrems III"

What did the Supreme Court decide?

The case arose after President Trump fired Democratic FTC commissioners Rebecca Slaughter and Alvaro Bedoya in 2025 without citing any statutory cause, stating only that their service was inconsistent with his administration's priorities.

The Court held that because the FTC exercises executive power, its commissioners must be removable by the President at will. Writing for the majority, Chief Justice Roberts concluded that little was left of the leading precedent in this area, Humphrey's Executor, and overruled it. 

The practical effect is that the FTC now sits under direct White House control.

Why does a US separation-of-powers case matter for EU transfers?

The Commission's July 2023 adequacy decision leans heavily on the FTC acting as an independent regulator. Recital 60 points to the commissioners' fixed terms and for-cause removal as a structural safeguard, a description that is now a historical artifact.

EU treaty law requires an independent supervisory authority for adequacy. Noyb frames the result as a constitutional clash of laws: EU law requires independence, and US constitutional law now forbids it. 

The same logic reaches the surveillance safeguards the Framework depends on, including the Privacy and Civil Liberties Oversight Board and the Data Protection Review Court created within the Department of Justice by Executive Order 14086.

How does this connect to everyday tracking tools?

Before 2023, most EU enforcement against Google Analytics and the Meta Pixel turned on transfers, not consent. 

In July 2020, the Court of Justice of the European Union’s (CJEU) found that US transfers generally failed the "essentially equivalent" standard, citing weak safeguards and no effective redress. Following this case, known as Schrems II, noyb filed 101 complaints against websites running these tools.

Those complaints largely succeeded, and regulators in Austria, Denmark, France, Italy, and elsewhere reprimanded or fined operators that deployed these US-based tracking tools. 

The EU-US DPF paused that problem by legitimising US data transfers. But if the DPF’s foundation is now gone, the pre-2023 uncertainty over US-based tracking and cloud tools returns.

Does anything change immediately?

No. The adequacy decision stays formally in force until the Commission repeals it or the Court of Justice annuls it, and a noyb lawsuit could take years.

Noyb argues that users of other transfer tools, namely Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), are also affected, because their transfer impact assessments rely on the same US oversight bodies whose independence is now contested.

What should privacy teams do?

Treat this case as a signal to prepare, not to panic. The decision does not break transfers today, but it undermines the reasoning that many assessments rest on.

Teams should confirm where US transfers sit in their processing, including embedded website tools and cloud services, and be ready with a fallback if the DPF is repealed or annulled.

Key takeaways

  • Map every processing activity that depends on US data transfers and record the legal basis for each, including embedded website tools such as Google Analytics and the Meta Pixel, and US cloud providers
  • Revisit transfer impact assessments that rely on the independence of US oversight bodies such as the PCLOB and the Data Protection Review Court
  • Prepare a fallback, whether updated safeguards or EU data residency, so that a repeal or annulment of the adequacy decision does not create a sudden compliance cliff

Privado AI's agentic privacy platform maps international data flows and maintains a RoPA automatically, so privacy teams can quickly identify which processing depends on US transfers and act if the adequacy decision is withdrawn.

Industry insights you won’t delete. Delivered to your inbox.

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Continue Reading