As the 2026 World Cup progresses into the Round of 32, international rivalries are heating up. But while fans are debating whose sports program is better, data privacy nerds are closely examining their own rivalries in the realm of cross-border data transfers. On Monday, June 29, 2026, the Supreme Court of the United States issued its opinion in Trump v. Slaughter, overturning a 90-year precedent that protected employees at independent federal agencies from at-will removal by the President. While this case will surely be included in future editions of constitutional law textbooks, there is an indirect effect getting far less attention, namely, whether, absent any politically independent federal agency, the European Union will revoke the United States’s conditional adequacy status for purposes of international data transfers.
In the digital era, the United States and the European Union have had a strained relationship when it comes to data transfers containing personal information. The European Union has maintained a reputation for stalwartly protecting the data privacy rights of EU and EEA residents, culminating in what is widely considered the gold-standard of data privacy regulations: the General Data Protection Regulation (“GDPR”). The United States, on the other hand, has prioritized commercial and economic development, with no federal comprehensive data privacy regulation (or regulator), leaving privacy regulation principally to the individual states.
Prior to 2015, with respect to international transfers from the EU to the U.S., there existed a “Safe Harbor” framework under which U.S. companies could self-certify to the U.S. Department of Commerce that they would adhere to data privacy principles sufficient to satisfy EU standards. In 2015, an Austrian activist, Max Schrems, took issue with Facebook’s privacy practices under the Safe Harbor and successfully challenged them in court (often referred to as “Schrems I”). Schrems I eventually made it to the EU’s highest court, which held that the Safe Harbor was insufficient under EU standards. Max Schrems’ advocacy did not end there. In 2016, the Safe Harbor was replaced with the “Privacy Shield,” a more rigorous self-certification approach with an enforcement mechanism administered by the Federal Trade Commission (“FTC”). Despite its stronger consumer protections, the Privacy Shield similarly fell to a challenge led by Max Schrems, who once again litigated his challenge all the way to the EU’s highest court (“Schrems II”).
Jump ahead to 2023, and the two transatlantic economic superpowers agreed to a third data transfer regime, the “EU-US Data Privacy Framework” (the “Framework”). The Framework requires that, with respect to data transfers from the EU to the U.S., oversight of data protection must be conducted by an “independent” authority. To fill this role, the U.S. consistently presented the FTC as an “independent” agency to facilitate data transfers while ensuring data privacy protections on par with the GDPR.
With the decision in Slaughter, the FTC’s independence is in question because the President of the United States now has direct authority over the agency. Absent oversight through an independent agency, the EU may find the Framework untenable. Max Schrems has already voiced his dissatisfaction with the matter, noting: “Even in the European Commission's logic, the basis for any EU-US data transfer deal is dead. We call upon the Commission to start an orderly exit from the US cloud – which is not easy, but unfortunately unavoidable. The Commission built a legal house of cards under industry pressure. Now that it clearly collapses, it has to take responsibility.”
Whether we will see a “Schrems III” before the EU’s highest court remains to be seen. But one thing is certain the Framework is in jeopardy, and data technology companies should prepare accordingly. As with so many of the World Cup matches, don’t let your company’s ability to do business come down to penalty kicks.
Brown Rudnick’s Cybersecurity and Data Privacy Team can help prepare you for the possible invalidation of the EU-US Data Privacy Framework. Please contact Matthew Richardson, Morgan Jones, Rodger D. Moss, Jr., or Daniel Healy to discuss how Brown Rudnick can help you.

/Passle/62189924f636e915f48daeda/SearchServiceImages/2026-06-18-16-22-44-785-6a341b54697dc74b3cef5bfc.jpg)
/Passle/62189924f636e915f48daeda/SearchServiceImages/2026-06-05-15-49-39-078-6a22f013dc71033ce26d9c21.jpg)