US Supreme Court ruling puts transatlantic data sharing at risk
Authors
A recent US Supreme Court ruling has introduced new legal uncertainty into the independence of the US Federal Trade Commission (“FTC”). While the decision does not itself invalidate transatlantic transfer mechanisms, it materially strengthens arguments that one of their foundational assumptions i.e. independent oversight, may be weakened. Given the FTC’s role as a key enforcement body within the EU–US Data Privacy Framework, this may affect the legal foundations supporting EU–US data sharing, impacting global data flows.
Background
A U.S. Supreme Court ruling on Monday 29 June 2026 expanded the President’s powers over the FTC. The Court held that FTC commissioners may be removed at will by the President, and it signals that similar protections at dozens of other independent agencies may be constitutionally vulnerable.
The decision is a significant constitutional development. The Court concluded that the FTC exercises core executive powers, including rulemaking with legal effect, investigations, administrative adjudication, and civil enforcement. As such, the FTC must be subject to presidential control. In doing so, the Court rejected earlier case law that had treated the FTC as operating with a degree of independence.
For any businesses trading in the US, this is likely to impact the entire regulatory landscape. Independent agencies that regulate competition, consumer protection, energy, product safety, financial markets, nuclear power and communications may become more directly responsive to presidential priorities.
At the same time, the Court indicated that not all institutional arrangements are necessarily affected in the same way, leaving open questions about the position of certain bodies with distinct historical or functional characteristics.
Whilst this fundamentally changes the regulatory landscape in the US for a number of agencies and oversight bodies, the decision also carries transatlantic implications: by casting doubt on the independence of US oversight bodies, it may affect aspects of the legal foundations of EU–US sharing of personal data (including the EU-US Privacy Framework).
The FTC’s role in US privacy law
The significance of the ruling for data protection is best understood against the FTC’s role as the leading privacy and data security regulator in the US.
Whilst the FTC covers a wide area of regulatory enforcement, in the absence of a single comprehensive federal privacy law, the FTC has become the de facto national enforcer, policing how companies collect, use, share and secure personal information across most of the economy.
In the context of international data transfers, the FTC also plays a central role in enforcing the commitments made by US organisations that certify under the EU–US Data Privacy Framework. This enforcement role is one component of a broader oversight and redress structure underpinning the framework.
Implications for EU–US data transfers
Alongside the FTC’s internal US enforcement powers, it also acts as an “independent” authority where this is required under international data laws.
The EU–US Data Privacy Framework, which is the adequacy arrangement that lets thousands of companies move personal data from the EU to the US without additional safeguards, rests in part on assurances that US oversight bodies operate independently.
Given the new ruling, the FTC’s independence is now open to challenge. Privacy campaigners, including noyb, may argue that this undermines a central pillar of the European Commission’s adequacy decision and could give the Court of Justice of the European Union grounds to strike it down.
However, it is important to distinguish between increased legal risk and the current legal position. The ruling does not itself invalidate the EU–US Data Privacy Framework. Transfers relying on the framework remain lawful unless and until it is formally reassessed or invalidated.
The more immediate effect is therefore to increase the likelihood of a successful challenge (often referred to as “Schrems III”), rather than to trigger an automatic suspension of transatlantic transfers.
A successful challenge would once again force businesses to fall back on alternative transfer tools such as Standard Contractual Clauses, which require case-by-case assessment and may reintroduce uncertainty into EU–US data flows.
More broadly, the ruling may reinforce existing lines of criticism of the framework, which extend beyond the FTC to other elements of US oversight and redress mechanisms.
How does this impact data transfers from the UK?
Similar concerns extend to the UK. The UK–US “data bridge” is the UK government’s adequacy arrangement for transfers to the US, and it operates as an extension to the EU–US Data Privacy Framework.
However, the UK–US data bridge is built on the same underlying US commitments. If concerns about US oversight independence persist, the data bridge may be exposed to similar legal scrutiny.
A challenge to the EU–US Data Privacy Framework, or any move by the UK government to reassess it, could affect the UK route as well, potentially forcing UK businesses back onto alternative transfer mechanisms such as the UK International Data Transfer Agreement.
What this means for business
Challenges to EU–US data sharing in the past have left many businesses cautious about relying solely on adequacy frameworks.
Many organisations have adopted a “belt and braces” approach to data sharing, relying on both the EU–US Data Privacy Framework and Standard Contractual Clauses.
No matter which approach businesses have taken, this ruling may change the risk profile of transfers to the US.
In addition, the decision may have broader regulatory implications. US agencies, including the FTC, may become more closely aligned with presidential priorities, potentially leading to greater variability in enforcement approaches over time.
Recommendations
Whilst we await further communications from both the EU Commission and the UK’s Information Commissioner’s Office, businesses should:
- continue to rely on adequacy frameworks where appropriate, but avoid over-reliance for critical data flows without contingency planning;
- ensure alternative transfer mechanisms, such as SCCs or the IDTA, are in place and can be activated quickly without renegotiation;
- revisit transfer impact assessments to reflect increased uncertainty around US oversight and enforcement independence;
- focus on high-volume or business-critical transfers and assess whether additional safeguards or mitigations are required;
- monitor regulatory signals from the EU and UK, as well as potential legal challenges, rather than waiting for formal changes; and
- explore proportionate steps to diversify or localise processing where this would reduce dependency on US transfers.
In practice, this means businesses should prioritise reviewing existing transfer mechanisms (such as SCCs and BCRs), documenting supplementary measures where needed, and building flexibility into contracts to accommodate potential regulatory changes, rather than halting transfers outright.
For further information, please email the authors or your usual CMS contact.