Back to Blog

Data Transfer · Trump v. Slaughter

Independence Revoked: Trump v. Slaughter and the Fate of the DPF

·8 min read
An institutional building with an oversight shield detaching, between a European and a United States platform

On 29 June 2026, in Trump v. Slaughter, the US Supreme Court held that the President may remove the commissioners of the Federal Trade Commission at will, overturning 91 years of Humphrey's Executor. A domestic constitutional-law ruling that nonetheless shakes the pillar EU-US adequacy rests on: independent enforcement.

In one lineThe "for cause" protections of FTC commissioners violate the separation of powers. Humphrey's Executor (1935) is overruled. The FTC is no longer an independent agency — and the DPF was built precisely on that independence.

This is not a privacy ruling. It does not touch the GDPR, does not concern data transfers, introduces no new surveillance powers. And yet Trump v. Slaughter may prove the most consequential decision of 2026 for anyone transferring personal data from Europe to the United States. Because when the independence of the authority overseeing the Data Privacy Framework falls, what trembles are the very foundations of the European adequacy decision. And because — this is our thesis — the ruling does not create a new problem: it ratifies a structural dependence the digital-services world has long known about.

The fact: a removal «pursuant to Article II»

March 2025. President Trump removes two Democratic commissioners of the Federal Trade Commission, Rebecca Slaughter and Alvaro Bedoya. No allegation of inefficiency, neglect or malfeasance — the three exhaustive causes set by the FTC Act of 1914. The stated reason is another: their tenure is «inconsistent with [the] Administration's priorities», and the removal occurs «pursuant to [the President's] authority under Article II of the Constitution».

Slaughter sues. The Washington district judge sides with her and reinstates her: Humphrey's Executor v. United States (1935) — the precedent that for ninety years shielded multimember independent agencies — is still living law, and only the Supreme Court can overrule it. The D.C. Circuit affirms. In September 2025 the Supreme Court grants a stay (effectively allowing the removal), takes up the case with certiorari before judgment, and sets argument for December.

  • March 2025Trump removes Slaughter and Bedoya from the FTC without invoking any of the causes set in 15 U.S.C. § 41.
  • 17 July 2025The District Court (D.D.C.) declares the removal ultra vires and reinstates Slaughter with a permanent injunction.
  • 22 September 2025The Supreme Court stays the reinstatement, grants certiorari before judgment and calendars the case.
  • 8 December 2025Argument. Roberts calls Humphrey's Executor «a dried husk» of what it was thought to be.
  • 29 June 20266-3 decision: the for-cause protections of FTC commissioners are unconstitutional. Humphrey's Executor is formally overruled. Reversed and remanded.

The ruling: the unitary executive becomes doctrine

Chief Justice Roberts, writing for the majority (with Alito, Gorsuch, Kavanaugh, Barrett and — in part — Thomas), starts from the text: Article II of the Constitution vests «the executive Power» in a single person, the President, together with the duty to «take Care that the Laws be faithfully executed». Whoever exercises executive power on his behalf is his subordinate; and a subordinate the President cannot remove is not, constitutionally, a subordinate.

The core of the reasoning is the demolition of the fiction on which Humphrey's Executor rested: the idea that the 1935 FTC exercised functions «neither political nor executive», but only «quasi-legislative» and «quasi-judicial». Today's FTC — the Court observes — administers around 80 statutes covering nearly every sector of the economy, issues rules with the force of law, conducts investigations, adjudicates in-house with monetary penalties, and litigates in the name of the United States. It exercises, «unquestionably», executive power.

«If anything more is left of Humphrey's, we overrule it.»

Roberts, C.J. — Trump v. Slaughter, opinion of the Court

The 1935 precedent is not distinguished, narrowed or side-stepped, as in the earlier stages (Free Enterprise Fund, 2010; Seila Law, 2020; Collins, 2021): it is expressly overruled. To the reliance argument — Congress and institutions built for ninety years on the assumption of independence — the Court responds by flipping the perspective: «independent» agencies were never truly independent in the sense of answering «only to the people»; insulation from the President produces, if anything, «increased subservience to congressional direction».

The exceptions (for now)

The majority draws two reservations. The first, decided the same day in Trump v. Cook (5-4): the Federal Reserve, as a «quasi-private» entity within the historical tradition of the First and Second Bank, stays outside the perimeter — the attempt to remove Governor Lisa Cook fails, at least on an interim basis. The second: the tenure protections of non-Article III court judges (Tax Court, Court of Federal Claims) remain «questions for another day». Everything else — FERC, CPSC, NRC, MSPB, NLRB, SEC, to name the agencies the dissent evokes — falls within the cone of removal at will.

The dissent: a power «unknown even to the English Crown»

Justice Sotomayor — who read the summary of the dissent from the bench, a rare gesture signalling the perceived institutional gravity — writes, with Kagan and Jackson, that the decision «reshapes our Government»: dozens of independent commissions become purely executive agencies, transferring «tremendous power over broad swaths of American life» into the President's hands. The duty to faithfully execute the laws becomes, in her words, a licence to act in defiance of those same laws.

The case file

Case
Trump v. Slaughter, No. 25-332, 609 U.S. ___ (2026)
Outcome
Reversed and remanded, 6-3
Provision struck
15 U.S.C. § 41 — removal only for «inefficiency, neglect of duty, or malfeasance in office»
Precedent overruled
Humphrey's Executor v. United States, 295 U.S. 602 (1935)
Doctrine
Unitary executive: whoever exercises executive power is removable at will by the President
Exceptions
Federal Reserve (Trump v. Cook); non-Article III courts (question reserved)

The European knot: 259 references to an independence that is no more

Here the ruling stops being a purely American domestic affair. The Union's primary law — Article 16(2) TFEU and Article 8(3) of the Charter of Fundamental Rights — requires that oversight of personal-data protection be entrusted to independent authorities. And the Schrems I and Schrems II case law made clear that a third country, to benefit from an adequacy decision, must guarantee an «essentially equivalent» level of protection — independent supervision included.

In the Data Privacy Framework, that role is played in large part by the FTC: it is the authority overseeing compliance with the principles by certified US companies and a channel of redress for European data subjects. By noyb's count, Implementing Decision (EU) 2023/1795 references the FTC — and its independence — 259 times. Trump v. Slaughter has just declared that independence unconstitutional as a matter of American domestic law.

The reaction was immediate. On 30 June noyb sent a formal letter to the European Commission asking for the orderly withdrawal of the adequacy decision and announcing, failing that, an action before the Court of Justice for annulment — a proceeding the organisation itself estimates at two to three years. The Commission, through a spokesperson, said it had taken note of the ruling and would carefully assess its implications. Meanwhile the appeal in the Latombe case is already pending before the CJEU, after the EU General Court had dismissed the challenge to adequacy at first instance in September 2025: the American ruling gives that appeal fresh ammunition.

«Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision.»

Max Schrems — noyb, 29 June 2026

What changes now (and what does not)

Clarity is needed, not alarm. The adequacy decision remains in force: it can fall only through withdrawal by the Commission or annulment by the CJEU, and neither is imminent. DPF-certified US companies remain entitled to receive personal data from the EU, and no EDPB guidance has called for abandoning the instrument. The FTC too retains its enforcement powers: what has changed is not its competence, but the institutional frame in which it exercises it — from now on, enforcement priorities and intensity answer directly to the White House's political agenda.

But beware the «fallback» trap: those thinking of taking refuge in standard contractual clauses are not sheltered. SCCs require Transfer Impact Assessments that, in practice, rest on the very same safeguards now in question — the FTC, the Privacy and Civil Liberties Oversight Board (already paralysed by the administration in early 2025) and the Data Protection Review Court. If those safeguards can no longer be qualified as independent, the TIAs must be rewritten, and the conclusions may not be the same as yesterday's.

What the ruling does not decide

To read Trump v. Slaughter correctly one must delimit its perimeter:

  • It is not a ruling on the DPF nor on privacy: the Court does not mention the GDPR, adequacy or transatlantic transfers.
  • It does not invalidate the adequacy decision, which stays effective until withdrawn by the Commission or annulled by the CJEU.
  • It does not touch the Federal Reserve (Trump v. Cook, same day) nor the non-Article III courts: expressly reserved questions.
  • It does not strip the FTC of its powers: it changes the chain of command, not the competences.
  • It does not close the litigation: the case returns to the merits court, and the European match (noyb letter, Latombe appeal) has only just begun.

The thesis: the ruling ratifies what we already knew

The DPF was born fragile already under the Biden administration: the third attempt after Safe Harbour and Privacy Shield, both annulled by the CJEU, built largely on the same materials as its predecessors — revocable executive orders, redress bodies internal to the executive, administrative rather than legislative guarantees. Trump v. Slaughter does not create the vulnerability: it makes it explicit and elevates it to constitutional rank. What many suspected — an FTC exposed to direct political influence — is today Supreme Court doctrine.

And there is a deeper level. Even if tomorrow the CJEU annulled the DPF, the European problem would not be solved, because it is not (only) a problem of the legal basis for transfers. It is a problem of structural dependence: the infrastructure, cloud, platforms and digital services the European economy runs on are largely extra-EEA and subject to US national-security logic. The CLOUD Act — together with the other access instruments in US law — makes governmental access to data possible regardless of the servers' physical location. Localising data in Europe, alone, is not enough if the provider remains subject to American jurisdiction.

The real European emergency, then, is not the abstract «data sovereignty» of conference panels. It is the construction — concrete, industrial, regulatory — of an ecosystem that reduces this dependence: competitive European cloud and infrastructure, credible tech-sovereign alternatives, and a genuinely independent enforcement capacity that does not hinge on the constitutional balances of a third country. After 29 June 2026, these are no longer policy options: they are strategic priorities.

Operational: what to do now

For companies transferring personal data to the United States — directly or through their supplier chain — the moment calls for method:

  1. 01Map the transfers. Inventory all flows to the US (cloud providers, SaaS, analytics, HR tech, sub-processors) and identify, for each, the transfer tool in use: DPF, SCC, BCR.
  2. 02Adopt the dual track. For flows today based on the DPF alone, prepare backup SCCs already signed or quickly activatable, as many organisations learned to do after Schrems II.
  3. 03Update the TIAs. Revisit the Transfer Impact Assessments citing the FTC, PCLOB or DPRC as safeguards: their qualification as independent authorities is now legally contested and must be re-assessed, documenting supplementary measures (encryption with keys under European control, pseudonymisation, minimisation).
  4. 04Assess European alternatives. For higher-risk or more strategically sensitive processing, start a serious evaluation of EEA providers or architectures that reduce exposure to third-country jurisdictions — not as an ideological exercise, but as operational-continuity risk management.
  5. 05Monitor institutional moves. The European Commission, EDPB and CJEU (Latombe appeal, possible noyb action) will set the pace. Those who arrive with flows mapped and fallbacks ready will not be caught off guard, whatever the outcome.

Sources

U.S. Supreme Court, Trump v. Slaughter, No. 25-332, 609 U.S. ___ (29 June 2026); U.S. Supreme Court, Trump v. Cook (29 June 2026); Humphrey's Executor v. United States, 295 U.S. 602 (1935); Myers v. United States, 272 U.S. 52 (1926); Seila Law LLC v. CFPB, 591 U.S. 197 (2020); Free Enterprise Fund v. PCAOB, 561 U.S. 477 (2010); 15 U.S.C. § 41 (FTC Act); Commission Implementing Decision (EU) 2023/1795 (EU-US Data Privacy Framework); Articles 16 TFEU and 8 of the EU Charter of Fundamental Rights; CJEU, C-362/14 Schrems I and C-311/18 Schrems II; EU General Court, Latombe v Commission (September 2025, appeal pending); noyb, «US Supreme Court just blew up EU-US Data Transfers» and letter to the European Commission of 30 June 2026; U.S. CLOUD Act, 18 U.S.C. § 2713.

This article is for informational purposes only and does not constitute legal advice nor replace professional counsel tailored to the specific case. The positions expressed reflect the analysis of Tomato Blue RegTech.

Does your stack hold up in a post-DPF scenario?

Tomato Blue supports companies in mapping extra-EEA transfers, updating Transfer Impact Assessments and defining data-sovereignty strategies — from gap analysis to operational governance.

Request a Gap Analysis →