Trump v. Slaughter: What the US ruling means for European data protection
A legal bombshell from Washington: In Trump v. Slaughter, the US Supreme Court has overturned a precedent that had stood for more than 90 years. In future, the President will generally be able to dismiss members of the Federal Trade Commission even where none of the statutory grounds previously required for their removal applies.
At first glance, this is a domestic constitutional ruling concerning the powers of the US President. It is not a data protection ruling. It does not introduce a new surveillance law. And it does not amend the GDPR.
European companies should nevertheless pay close attention.
The Federal Trade Commission, or FTC, is an important part of the EU-US Data Privacy Framework, or DPF. Its role includes ensuring that US companies comply with the data protection commitments on which transfers of personal data from Europe to the United States are based.
If the agency becomes more susceptible to political control, an uncomfortable question arises: How robust are transatlantic data protection guarantees if their enforcement can depend on the priorities of the respective US administration?
The ruling will not bring down the DPF overnight. But dismissing it as a matter of US domestic politics would be just as convenient as it would be short-sighted.
What did the Supreme Court decide in Trump v. Slaughter?
The case arose from US President Donald Trump’s dismissal of Democratic FTC Commissioner Rebecca Kelly Slaughter. Under the Federal Trade Commission Act, FTC commissioners could previously be removed only for specified reasons such as inefficiency, neglect of duty or malfeasance in office.
By a vote of six to three, the Supreme Court declared this protection unconstitutional. According to the majority, executive power rests with the President. Officials and agency leaders who exercise that power on the President’s behalf must therefore generally also be removable by the President.
In doing so, the Court expressly overturned what remained of the precedent established in Humphrey’s Executor v. United States in 1935. That ruling had allowed Congress to protect members of certain independent commissions against politically motivated dismissal.
The immediate consequence is clear: the FTC will now be much more closely tied to the political leadership of the White House. A President can dismiss commissioners if they do not support the administration’s regulatory or political objectives.
This does not mean that the President now has unrestricted control over every US institution. Appointments may still require Senate confirmation. The ruling also leaves room for exceptions for institutions that do not exercise executive power or that occupy a special historical position.
Nevertheless, the direction of travel is clear: The institutional distance that previously existed between the President and the FTC has largely disappeared.
What is the FTC – and why is it relevant to European data?
The FTC is not a data protection authority based on the European model. The United States still has no comprehensive federal data protection regulator comparable to the supervisory authorities established under the GDPR.
The FTC is primarily a competition and consumer protection agency. Among other things, it takes action against companies that mislead consumers, engage in unfair business practices or fail to comply with publicly stated privacy and security commitments.
This is where the EU-US Data Privacy Framework comes into play.
US companies can self-certify their participation in the Framework with the Department of Commerce and commit to complying with specific data protection principles. If a company breaches these publicly stated commitments, the violation may be pursued as an unfair or deceptive practice under Section 5 of the FTC Act. The FTC describes itself as a central enforcement authority for the commercial obligations arising from the Framework.
Put simply:
European companies are entitled to rely on certain data protection commitments made by certified US providers. The FTC is intended to help ensure that these commitments exist not only on paper.
The FTC is not responsible for every component of the Data Privacy Framework. However, it plays an essential role in enforcing the Framework against participating companies in practice.
Is the EU-US Data Privacy Framework now invalid?
The simple answer is no. The Supreme Court ruling does not invalidate either the European Commission’s adequacy decision or the obligations of certified US companies. Transfers of data to participating companies can generally continue to be based on the Framework.
The FTC also retains its statutory enforcement powers. It can continue to take action against companies that breach their privacy commitments.
What has changed are the institutional conditions under which the agency exercises these powers.
In future, enforcement priorities may be influenced more strongly by the President’s political agenda. A new administration could exert an influence more quickly over:
· which sectors are subject to particularly intensive scrutiny,
· which data protection violations are prioritised,
· how aggressively enforcement proceedings are conducted,
· and how closely the FTC cooperates with European data protection authorities.
This is more than a theoretical concern.
During the first review of the Data Privacy Framework, the European Data Protection Board already criticised the limited number of proactive controls and structural enforcement measures undertaken by the FTC and the Department of Commerce. It expressly called for more independent investigations instead of relying predominantly on complaints from affected individuals.
Making an agency more susceptible to political direction does not resolve these concerns. It may instead reinforce them.
Data protection campaigners are already calling for action
The data protection organisation noyb has taken a particularly critical view of the ruling. It argues that the independence of the FTC assumed by the Framework has been called into question and has urged the European Commission to withdraw the adequacy decision.
For now, this is the position of a data protection organisation – not a judicial finding.
However, it indicates where the next legal dispute could arise: Does the US system still provide European citizens with a level of protection that is essentially equivalent to that available under EU law?
The EU-US Data Privacy Framework has not yet conclusively survived all legal challenges. In September 2025, the General Court of the European Union dismissed an action against the adequacy decision. However, an appeal is now pending before the Court of Justice of the European Union.
Trump v. Slaughter is therefore not automatically the next “Schrems moment”. But the ruling gives critics of the Framework an additional argument.
What the ruling changes – and what it does not
What does not change immediately
· The EU-US Data Privacy Framework remains valid for the time being.
· Certified US companies remain bound by their obligations.
· The FTC retains its statutory enforcement powers.
· Existing technical security measures implemented by cloud providers remain unchanged.
· The ruling neither expands nor restricts the US CLOUD Act.
· The ruling alone does not result in an immediate prohibition on corporate data transfers.
What does change
· FTC commissioners can be dismissed more easily for political reasons.
· The agency can be aligned more quickly with the policy of a new administration.
· Regulatory and enforcement priorities may fluctuate more significantly.
· The long-term institutional stability of the DPF becomes more open to challenge.
· Companies have another reason to review their dependence on US legal and supervisory structures.
Data security is not the same as data protection
The ruling does not suddenly make US cloud services less secure.
Encryption, access controls, backups, two-factor authentication and protection against cyberattacks operate independently of who leads the FTC. These measures form part of data security.
Data protection, by contrast, concerns whether personal data is processed lawfully, which rights individuals have and whether violations are actually investigated and enforced.
Trump v. Slaughter primarily affects this second level. The ruling does not change the underlying technology. It changes the institutional conditions under which data protection rules are enforced in the United States.
This distinction is important for companies: a provider may have excellent technical safeguards while still being exposed to legal or political risks that arise outside its own security architecture.
Why the ruling is primarily a question of data sovereignty
This is where the case has its greatest significance: data sovereignty.
Data sovereignty means retaining control over business-critical information. This includes not only personal data, but also contracts, construction plans, research data, financial information, M&A documents and intellectual property.
That control does not depend solely on the country in which a server is located.
The entire chain of control matters:
· Where is the provider headquartered?
· Which legal system applies to the provider?
· Where are its parent company and owners based?
· Which subcontractors are involved?
· Which government access rights exist?
· Which international agreements form the basis for the processing?
· Which authorities supervise compliance?
· How quickly can the political framework change?
The US CLOUD Act demonstrates why the location of a data centre alone is not sufficient where the provider is also subject to US law. Trump v. Slaughter adds another dimension to this debate: the reliability of supervision and legal enforcement can also depend on political developments.
Practical guidance: These are the issues you should review
Our assessment: Companies that process sensitive data should not rely exclusively on certifications, contractual clauses or a European server location. The decisive question is how many legal, institutional and geopolitical dependencies sit behind a solution.
What companies should review now
The ruling does not create an immediate need to change providers. It does, however, offer a good opportunity to review existing data flows and cloud dependencies objectively.
Companies should consider the following questions in particular:
Which data is transferred to the United States?
Not every file has the same protection requirements. For particularly sensitive information, restricting third-country transfers is more important than it is for publicly available or non-critical data.
What is the legal basis for the transfer?
Companies should document whether a provider relies on the Data Privacy Framework, Standard Contractual Clauses or another transfer mechanism.
Who is actually behind the provider?
A data centre in Frankfurt or Paris does not automatically turn a US corporation into a European provider. Corporate headquarters, group structure and legal jurisdiction should therefore be assessed alongside the location of the servers.
Is there a realistic alternative?
Companies do not need an exclusively European solution for every service immediately. For business-critical documents, confidential projects and particularly sensitive data, however, they should consider whether unnecessary third-country dependencies can be avoided.
How easily can the provider be changed?
Data sovereignty also depends on whether information can be exported in full and transferred to another provider when required. Technical and contractual lock-in effects should therefore form part of every provider assessment.
Made & hosted in Germany reduces dependencies
A German provider cannot make international developments irrelevant. It can, however, significantly reduce a company’s dependence on them.
netfiles is headquartered, developed and hosted in Germany. Data is processed in German data centres in Munich and Nuremberg. netfiles has no US parent company and is not subject to the US CLOUD Act.
For companies, this means:
· no necessary transfer of data to the United States,
· no dependence on the EU-US Data Privacy Framework when using netfiles data rooms,
· clear legal jurisdiction within Germany,
· and data processing that does not depend on the changing political priorities of a US supervisory authority.
This does not replace technical security measures. It complements them with legal and organisational clarity.
True data sovereignty can only be achieved when technology, hosting, corporate structure and applicable law are aligned.
[Internal link: Made & hosted in Germany – why data sovereignty matters more than ever]
Conclusion: No collapse overnight – but a clear warning signal
Trump v. Slaughter is not a data protection ruling. It does not automatically invalidate the EU-US Data Privacy Framework or make transatlantic data transfers immediately unlawful.
However, the ruling changes an important part of the institutional foundation on which European companies and authorities have relied. A key US enforcement authority can now be influenced more directly by the President’s political agenda.
The extent to which this will actually affect data protection and the DPF will become clearer over the coming months and through further court proceedings.
However, one fundamental conclusion can already be drawn:
Data sovereignty must not depend on political, legal and institutional conditions in a third country remaining permanently stable.
Companies do not need to panic. But they should take an honest look at which dependencies are necessary – and which could already be avoided when particularly sensitive data is involved.
Learn more – netfiles is your partner for data sovereignty
European cloud solutions are not a fallback option – they are the strategically right choice for companies that want to retain control over their data.
See for yourself – try netfiles free of charge for 14 days. No dependence on US providers and full access to all features. Start your free trial now →
Do you have questions about cloud sovereignty? Talk to our team →