The EU-US Data Privacy Framework is facing renewed legal scrutiny after privacy advocacy group noyb announced plans to challenge the agreement following a recent U.S. Supreme Court decision involving the Federal Trade Commission.
In a letter sent to the European Commission on June 30, noyb founder Max Schrems argued that the Supreme Court’s ruling in Trump v. Slaughter undermines a central requirement of the EU-US Data Privacy Framework: independent oversight of personal data transfers between the European Union and the United States.
The case concerns the U.S. Supreme Court’s interpretation of presidential authority over independent executive agencies. According to noyb, the decision means that agencies such as the FTC can no longer be considered constitutionally independent, a status the European Commission relied upon when adopting the framework in 2023.
Why the FTC Matters to the Framework
The EU-US Data Privacy Framework, formally adopted through Commission Implementing Decision EU 2023/1795, allows certified U.S. companies to receive personal data from the EU under a system deemed to provide adequate privacy protections.
EU law requires that data protection oversight be carried out by an independent authority. The FTC has been the primary U.S. regulator fulfilling that role under the framework.
In its letter, noyb said the European Commission’s adequacy decision references the FTC hundreds of times and treats the agency as the key enforcement body for privacy obligations.

Schrems argued that if the FTC’s independence is no longer guaranteed, the legal foundation supporting the adequacy decision may no longer satisfy EU constitutional requirements.
Potential Impact on Data Transfers
The challenge does not immediately suspend transatlantic data flows. The European Commission’s adequacy decision remains in force unless it is repealed by the Commission or annulled by the Court of Justice of the European Union.
However, the development could create uncertainty for companies that rely on the framework to transfer customer and employee data between Europe and the United States.
noyb is also questioning other oversight mechanisms tied to the agreement, including the Data Protection Review Court created under Executive Order 14086 and the Privacy and Civil Liberties Oversight Board.
The organization argues that these bodies may also be affected by the Supreme Court’s reasoning because their independence depends on executive or statutory arrangements that could now face constitutional challenges.
Background: A Long-Running Dispute
The EU-US Data Privacy Framework is the third major attempt to create a legal basis for EU-U.S. data transfers.
Earlier arrangements, Safe Harbor and Privacy Shield, were both struck down by the Court of Justice of the European Union in the Schrems I and Schrems II judgments.
Those rulings focused on U.S. surveillance laws and the lack of effective judicial remedies for EU citizens.
The current framework was introduced in 2023 after negotiations between the European Commission and the Biden administration.
What Happens Next?
noyb has urged the European Commission to begin planning an orderly transition away from the current arrangement rather than waiting for a court ruling.
The group says it intends to file a formal lawsuit challenging the adequacy decision if the Commission does not act.
Legal experts expect any court challenge to take several years before reaching a final judgment.
For now, the EU-US Data Privacy Framework remains valid, but the Supreme Court’s decision has reopened a debate that many businesses hoped had been settled.

