Three Bridges, Same River
The Supreme Court just ruled FTC independence unconstitutional, and the EU-US data deal leans on that independence 259 times. Safe Harbor died in 15 years. Privacy Shield died in 4. The third bridge is cracking on its third birthday, and everyone is still pretending the river is mandatory.
On June 29, the Supreme Court decided Trump v. Slaughter, a 6-3 ruling about whether a president can fire Federal Trade Commission commissioners without cause. And, setting aside the politics of it, it may have knocked the legal floor out from under every byte of European personal data sitting on an American server.
The EU-US Data Privacy Framework is the agreement that lets companies move European personal data to the United States without individually lawyering every single transfer. It rests on a European Commission finding that the US provides protection "essentially equivalent" to EU law, and that finding leans on the FTC acting as an independent enforcer. How hard does it lean? By one count, there are separate references to the FTC in the shared legislation. Since 2000, every version of the EU-US data deal has named the FTC as the cop on the beat, and the Supreme Court just ruled that the cop serves at the pleasure of the president. One day after the ruling, noyb sent the Commission a letter asking it to withdraw the adequacy decision in an orderly fashion, and started preparing a challenge before the Court of Justice of the European Union. The Commission, for its part, says it is assessing the implications, which is what you say when your lawyers are already in the building on a Saturday.
By some accounts, the ruling does not touch the redress mechanism, because the Data Protection Review Court sits inside the Department of Justice, not the FTC. However, it is also a strange comfort, because the DPRC exists by executive order, inside the executive branch, revocable by the same pen that created it. And the Privacy and Civil Liberties Oversight Board, which the framework also cites for oversight, has been functionally headless since January 2025, when its Democratic members were fired. The defense amounts to the specific pillar the Court demolished isn't load-bearing, as long as you ignore the other pillars already lying in the yard.
This isn't unprecedented, by the way. Safe Harbor was adopted in 2000 and lasted fifteen years before the CJEU struck it down in Schrems I. Privacy Shield was adopted in July 2016 and lasted four years before Schrems II killed it, on the grounds that US surveillance law and the lack of independent redress made the promises unenforceable. The Data Privacy Framework was adopted on July 10, 2023, which means the challenge now being drafted lands days after its third birthday. Each bridge was negotiated faster than the last and is failing faster than the last, and every one of them failed for the same underlying reason; the European legal system requires independent oversight of data access, and the American legal system keeps demonstrating, in increasingly explicit terms, that it does not have any to offer.
In civil engineering, when the same bridge design collapses twice in the same river, nobody commissions a third from the same blueprints and calls the problem solved. They ask what's wrong with the design. And the design flaw here is not the FTC, or the DPRC, or whichever acronyms get shuffled in the Framework 4.0 that gets negotiated in a panic next year. The design flaw is the assumption underneath all three frameworks: that the data has to cross the river at all.
Think about what an adequacy decision actually is. It is a stack of paper asserting that a warehouse in Virginia is, legally speaking, in Europe. Everything else follows from trying to make that fiction hold against a legal system that keeps telling you, on the record, that it won't. For twenty-five years the compliance industry has been building ever more elaborate versions of the same paper bridge, while treating the underlying act, copying the data out of its jurisdiction, as a law of nature.
It isn't remotely a law of nature. It is an architectural choice, and it stopped being a necessary one years ago. Leave the personal data where it was collected, run the processing next to it, and move the outputs: the aggregates, the model updates, the answers. (Have I mentioned we have a platform that helps you do just that?) Those cross borders just fine, because what GDPR governs is personal data, not arithmetic performed on it. In other words, the entire quarter-century of transatlantic legal drama exists to legalize a data transfer that, for a growing share of workloads, you no longer need to perform. The cheapest adequacy decision is the transfer you never make. (Yes, that is the same lesson as your egress bill. Funny how physics and law keep converging on the same answer.)
The EU is not waiting around, incidentally. Brussels adopted a tech sovereignty package in June built on the observation that Europe depends on foreign suppliers for over 80% of its key digital products and infrastructure, and the Commission is already weighing whether sensitive government workloads should sit on US clouds at all. The winds, as they say, are blowing in a direction. Pay attention.
The adequacy decision remains in effect today, and the thousands of certified companies can keep relying on it, right up until the CJEU says otherwise, on whatever schedule the CJEU feels like. If your compliance posture depends on the fourth attempt at a bridge whose first three attempts are at the bottom of the river, you do not have a compliance posture. You have a countdown, and you don't get to see the number.
Want to learn how intelligent data pipelines can reduce your AI costs? Check out Expanso. Or don't. Who am I to tell you what to do.
NOTE: I'm currently writing a book based on what I have seen about the real-world challenges of data preparation for machine learning, focusing on operational, compliance, and cost. I'd love to hear your thoughts!