Trump v. Slaughter Decision

Written by Katerina Douni

The recent Trump v. Slaughter decision by the US Supreme Court has prompted renewed debate over the future of the EU-US Data Privacy Framework (DPF). While the framework remains legally valid, organisations that transfer personal data to the United States should understand what the ruling means, why it matters, and whether any action is required.

What the Trump v. Slaughter Decision Means for the EU-US Data Privacy Framework

What the Trump v. Slaughter Decision Means for the EU-US Data Privacy Framework

The future of the EU-US Data Privacy Framework (DPF) has once again come under scrutiny following the recent US Supreme Court decision in Trump v. Slaughter. On 29th June, the US Supreme Court delivered its judgment ruling that the President can remove Federal Trade Commission (FTC) commissioners without the restrictions that previously applied, meaning the FTC can no longer be regarded as an independent agency in the same way as before. 

This has led the privacy advocacy organisation noyb to argue that one of the key safeguards underpinning the European Commission’s adequacy decision has been weakened, as the Commission relied on the FTC’s independence when concluding that the United States provides an adequate level of protection for personal data.  

Although the EU-US Data Privacy Framework remains legally valid, the judgment has raised questions about its long-term future and whether it may face another legal challenge before the Court of Justice of the European Union (CJEU). 

This development is most relevant to organisations that transfer personal data to the US, particularly where rely on the EU-US DPPF or the UK Extension. This includes organisations using US-based cloud services, HR platforms, CRM systems, payroll providers and other software providers certified under DPF.  

This is not the first time organisations have found themselves in this position. 

Many will remember the end of Safe Harbour in 2015, followed by the Privacy Shield being struck down in the Schrems II judgment in 2020. On both occasions, organisations had to revisit their international data transfer arrangements and adopt alternative safeguards. 

Whether or not the current challenge succeeds, it highlights a wider issue. International data transfers between Europe and the United States continue to depend on legal frameworks that are regularly challenged before the courts. For organisations, this creates uncertainty and makes long-term planning more difficult. 

 What does this mean in practice? 

For now, there is no immediate action required.  

The EU-US Data Privacy Framework (DPF), including the UK Extension, remains a valid transfer mechanism under both EU GDPR and UK GDPR, and organisations can continue relying on it for transfers of personal data to certified US organisations. There has been no change to the law and neither European nor UK regulators have advised organisations to stop using it. 

That said, this is a timely reminder to understand how your organisation transfers personal data outside the UK and Europe. 

Many organisations know they use Microsoft 365, Google Workspace, Salesforce or other US-based services, but have never documented exactly which transfer mechanisms they rely upon or whether appropriate transfer assessments have been completed. 

If the legal position were to change, organisations that already understand their international transfers would be in a much stronger position than those starting from scratch.  

 What if the DPF was invalidated?  

If the DPF were to be invalidated, organisations would not necessarily need to stop transferring personal data to the United States immediately, but they would need to rely on alternative transfer mechanisms such as Standard Contractual Clauses (SCCs) under EU law, or the International Data Transfer Agreement (IDTA) or UK Addendum under UK GDPR. 

In practice, however, this would not be a simple “swap” of legal mechanisms.  

This is because of the key principles established in the Schrems II judgment, where the Court of Justice of the European Union ruled that international data transfers must ensure an “essentially equivalent” level of protection to that guaranteed within the EU. 

The Court also found that US surveillance laws could, in certain circumstances, allow public authorities to access personal data in ways that were not sufficiently limited or subject to effective legal remedies, which led to the invalidation of the previous Privacy Shield framework. 

As a result, even when organisations rely on SCCs, the IDTA, or the UK Addendum, they are required to carry out a Transfer Risk Assessment (TRA) to assess whether the laws and practices in the destination country could impact the effectiveness of those safeguards. Where risks are identified, additional technical and organisational measures may be necessary to protect the data in practice. 

Many large technology providers already offer SCCs and IDTAs alongside their participation in the DPF, meaning contractual arrangements may remain in place even if the DPF is removed. The main impact would therefore be on organisations’ legal assessment and justification for the transfers, which would need to be revisited and strengthened. 

 Does this mean organisations should move all their data to Europe or the UK? 

Not necessarily. It’s true that some commentators have suggested that organisations should reduce their reliance on US technology providers or move more data into UK or European data centres. 

While this may reduce some risks, it is not always a complete solution. If a US-based provider can still remotely access the data, the international transfer issues may still arise: the location of the server is only one part of the picture. 

For most organisations, good governance remains far more important than where the server is physically located – for this reason, understanding what personal data leaves the UK, where it goes, why it is transferred and what safeguards are in place is likely to have a greater impact on compliance than simply changing suppliers. 

So, what should organisations do now?  

  • Continue relying on the DPF where it is appropriate 
  • Identify which suppliers rely on the DPF or UK Extension (this should be already determined within RoPA) 
  • Monitor developments from the European Commission, EDPB and ICO.  

 Our view 

The Trump v. Slaughter decision should not cause organisations to panic, but neither should it be ignored: the DPF remains valid and organisations should continue using it where appropriate. However, the judgment is another reminder that international data transfers remain one of the most legally complex areas of data protection law. 

Rather than asking whether the DPF will survive, organisations should be asking themselves different questions:  

  • Do we know where our personal data is transferred? 
  • Have we identified which suppliers rely on the DPF? 
  • Have we completed Transfer Risk Assessments where they are required? 
  • If the legal position changed tomorrow, could we quickly identify the transfers that would be affected? 

These are sensible governance questions regardless of what happens to the DPF. 

It is important to note that many organisations assume they do not transfer personal data to the US because their supplier stores data in the UK or Europe. However, common business systems are operated by US companies or allow support, maintenance or remote access from the US – this means international transfers can occur even where data is hosted within Europe.  

In summary, we are now waiting to see how this develops following the Trump v. Slaughter decision. For the moment, the EU-US Data Privacy Framework remains valid and in force. Organisations can continue to rely on it for international data transfers. However, its long-term stability is now being questioned. Further legal or regulatory developments will be important to watch closely. 

Data Protection People can help you. Understanding international data transfers is no longer simply a contractual exercise; organisations should understand where personal data is transferred, which transfer mechanisms they rely upon and whether appropriate assessments have been completed. Our data protection consultancy team can help you:  

  • Review your international data transfers activities 
  • Identify where you rely on the DPF, SCCs or the UK IDTA 
  • Complete or review your TRAs 
  • Undertake due diligence on your suppliers and identify risks and opportunities, in particular assessing supplier arrangements 
  • Ensure your transfer documentation remains up to date. 

If you would like to discuss your international transfer arrangements or understand how these developments may affect your organisation, please get in touch with our team. 

 Relevant links:  

US Supreme Court ruled  

NOYB formally wrote to the European Commission calling for it to withdraw its adequacy decision on the US.