U.S. Supreme Court FTC Ruling Prompts Fresh Scrutiny of EU-U.S. Data Privacy Framework
Time 2 Minute Read

As reported by Bloomberg Law, a European Commission spokesperson has stated that the European Commission will assess whether the recent U.S. Supreme Court ruling in Trump v. Slaughter, which addressed the U.S. president’s authority to remove Federal Trade Commission Commissioners, could affect the validity of the EU-U.S. Data Privacy Framework (the “DPF”). The DPF is a mechanism that many organizations rely on to legitimize personal data transfers from the EU to certified U.S. companies. Although the Supreme Court ruling did not address privacy, the EU General Data Protection Regulation (“GDPR”), international data transfers, or the DPF directly, the ruling has prompted discussion because the FTC plays an important role in enforcing the DPF.

The ruling has drawn attention because the European Commission’s 2023 adequacy decision with respect to the DPF relied in part on the FTC as an independent enforcement authority under the DPF. The recent legal development has also prompted criticism from privacy advocacy group None of Your Business (“NOYB”), which has argued that the ruling calls into question whether the FTC remains sufficiently independent for EU law purposes and has asked the European Commission to withdraw the DPF adequacy decision. NOYB has also announced its plans to pursue further litigation before the Court of Justice of the European Union (“CJEU”).

The DPF is already being challenged before EU courts, and the ruling may add to scrutiny of whether U.S. safeguards remain essentially equivalent to EU data protection standards. For now, however, these remain legal arguments rather than legal determinations. The adequacy decision remains in force, as no court has invalidated the DPF, and U.S. companies certified under the DPF remain eligible to receive covered transfers of personal data. The immediate effect therefore is greater legal uncertainty, rather than any immediate change to the legal basis for cross-border data transfers.

The European Commission has indicated that, as with all adequacy decisions, the Commission continues to monitor whether a high level of data protection is ensured and will remain in close contact with the U.S. Administration. The European Commission’s spokesperson also noted that the GDPR provides the European Commission with the tools to respond if the adequacy decision no longer provides sufficient protection.

View the U.S. Supreme Court ruling. Read NOYB’s publication.

Search

Subscribe Arrow

Recent Posts

Categories

Tags

Archives

Jump to Page