
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

On June 29, 2026, the US Supreme Court ruled in Trump v. Slaughter that the President can remove Federal Trade Commission (FTC) commissioners at will, leading the privacy group noyb to write to the European Commission urging an “orderly withdrawal” from the EU-US Data Privacy Framework (DPF).
The case arose after President Trump fired Democratic FTC commissioners Rebecca Slaughter and Alvaro Bedoya in 2025 without citing any statutory cause, stating only that their service was inconsistent with his administration's priorities.
The Court held that because the FTC exercises executive power, its commissioners must be removable by the President at will. Writing for the majority, Chief Justice Roberts concluded that little was left of the leading precedent in this area, Humphrey's Executor, and overruled it.
The practical effect is that the FTC now sits under direct White House control.
The Commission's July 2023 adequacy decision leans heavily on the FTC acting as an independent regulator. Recital 60 points to the commissioners' fixed terms and for-cause removal as a structural safeguard, a description that is now a historical artifact.
EU treaty law requires an independent supervisory authority for adequacy. Noyb frames the result as a constitutional clash of laws: EU law requires independence, and US constitutional law now forbids it.
The same logic reaches the surveillance safeguards the Framework depends on, including the Privacy and Civil Liberties Oversight Board and the Data Protection Review Court created within the Department of Justice by Executive Order 14086.
Before 2023, most EU enforcement against Google Analytics and the Meta Pixel turned on transfers, not consent.
In July 2020, the Court of Justice of the European Union’s (CJEU) found that US transfers generally failed the "essentially equivalent" standard, citing weak safeguards and no effective redress. Following this case, known as Schrems II, noyb filed 101 complaints against websites running these tools.
Those complaints largely succeeded, and regulators in Austria, Denmark, France, Italy, and elsewhere reprimanded or fined operators that deployed these US-based tracking tools.
The EU-US DPF paused that problem by legitimising US data transfers. But if the DPF’s foundation is now gone, the pre-2023 uncertainty over US-based tracking and cloud tools returns.
No. The adequacy decision stays formally in force until the Commission repeals it or the Court of Justice annuls it, and a noyb lawsuit could take years.
Noyb argues that users of other transfer tools, namely Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs), are also affected, because their transfer impact assessments rely on the same US oversight bodies whose independence is now contested.
Treat this case as a signal to prepare, not to panic. The decision does not break transfers today, but it undermines the reasoning that many assessments rest on.
Teams should confirm where US transfers sit in their processing, including embedded website tools and cloud services, and be ready with a fallback if the DPF is repealed or annulled.
Privado AI's agentic privacy platform maps international data flows and maintains a RoPA automatically, so privacy teams can quickly identify which processing depends on US transfers and act if the adequacy decision is withdrawn.