Shortly after the US Supreme Court handed down its decision in Trump v. Slaughter on 29 June, NOYB (None of Your Business), the privacy organisation founded by Max Schrems published a statement and an open letter from Mr Schrems to the European Commission, calling for an orderly withdrawal of its partial adequacy decision for the US with respect to the EU-US Data Privacy Framework (DPF). The DPF is therefore facing renewed scrutiny. Is this the beginning of a "Schrems III" challenge, or can the DPF withstand further examination?
From Safe Harbor to the DPF
Transatlantic data transfers represent a constant balancing act between facilitating multinational business operations and protecting privacy rights. Under EU law, including the General Data Protection Regulation (GDPR), the principle is that fundamental rights should travel with personal data. Article 45 of the GDPR establishes an adequacy decision mechanism, enabling the European Commission to determine whether a third country's data protection safeguards are essentially equivalent to those within the EU - where they are, and an adequacy decision is made, personal data can flow freely to that third country (provided the other requirements of the GDPR are satisfied).
When assessing whether the third country provides essentially equivalent protection for personal data, one of the things that the Commission must consider is whether there is effective oversight from independent supervisory authorities in the third country. In practice, the history of EU-US data transfers has been one of repeatedly rebuilding a legal bridge across the Atlantic to meet these fundamental requirements.
Safe Harbor (2000 - 2015)
The EU-US Safe Harbor was adopted in 2000 and was widely used to facilitate transfers of personal data across the Atlantic. Following the Snowden leaks about US surveillance practices, Max Schrems argued that Safe Harbor should be suspended on the basis that US public authorities have broad access powers over EU personal data, undermining adequacy of the protections.
On 6 October 2015, the Court of Justice of the European Union (CJEU) invalidated the European Commission's Safe Harbor adequacy decision (Schrems I). The invalidation of Safe Harbor was immediate and forced companies to (rapidly) rely on alternative transfer mechanisms, most notably Standard Contractual Clauses (SCCs), for EU-US data transfers.
Privacy Shield (2016 - 2020)
The EU-US Privacy Shield was adopted in 2016 as the successor to Safe Harbor. Max Schrems again challenged the adequacy of the protections afforded under both Privacy Shield and the SCCs. On 16 July 2020, the CJEU ruled that Privacy Shield was invalid (Schrems II) (although SCCs survived the challenge). Privacy Shield's invalidation left SCCs as the primary mechanism for EU-US transfers.
However, the CJEU made clear that companies relying on SCCs are required to also conduct Transfer Impact Assessments (TIAs) to assess on a case-by-case basis whether there is an adequate level of protection to the data transferred and, where there is not, supplemental measures should be added or the transfer should cease if there are no adequate or feasible supplemental measures.
Data Privacy Framework (2023 - present)
The EU-US DPF was adopted in July 2023 as the European Commission's third attempt to secure an adequacy finding for the US, and it remains in force today. The DPF was designed to address the deficiencies identified by the CJEU in the Safe Harbor and Privacy Shield decisions through collaborative efforts between the European Commission and the US administration.
Like its predecessors, the DPF relies on the US Federal Trade Commission (FTC) as a key component of its commercial oversight and enforcement framework. Regarding surveillance concerns raised by the CJEU in Schrems II, the US Department of Justice established the Data Protection Review Court (DPRC), an executive body rather than a constitutional court, to consider individual complaints relating to US surveillance activities.
Current Challenges to the DPF
The DPF, the European Commission's third attempt to create a stable legal basis for transatlantic data flows, is once again under challenge, primarily on two separate legal fronts. While the challenges come from two different directions and remain at different stages of the legal process, both raise questions about the future of a framework relied upon by thousands of organisations for EU-US data transfers. While the UK is no longer part of the EU, the UK has put in place an equivalent regime that piggy backs off the EU-US DPF. As such, these challenges have the potential to also impact transfers from the UK to the US.
A potential Schrems III
The challenge brought by Max Schrems and NOYB stems from the decision by the US Supreme Court in Trump v. Slaughter. It was ruled that the President may remove FTC commissioners at will, overturning a precedent that had stood for over 90 years. As EU law requires oversight to be carried out by independent supervisory authorities, NOYB argues that, following Slaughter, the FTC can no longer be considered sufficiently independent of the executive to support the DPF's adequacy finding.
NOYB has also raised concerns about other oversight mechanisms that are relied upon not only by the DPF but also SCCs and Binding Corporate Rules (BCRs), including the DPRC and the Privacy and Civil Liberties Oversight Board (PCLOB). Following Schrems II, organisations using SCCs (and BCRs) are required to conduct TIAs to evaluate, among other things, the level of safeguards in the destination country where personal data is transferred.
In practice, these assessments frequently rely on safeguards provided by bodies such as the FTC, DPRC and PCLOB (i.e., the assessments leverage the framework that was implemented as part of the DPF, even where the DPF mechanism is not relied upon). NOYB argues that the reasoning in Slaughter raises questions about the independence of these bodies and, consequently, the TIAs upon which many organisations rely for their transfers.
Latombe v Commission
Another challenge has been brought by Philippe Latombe, a member of the French National Assembly. His application for annulment of the DPF was dismissed by the General Court on 3 September 2025, and the case is now before the CJEU on appeal. A central issue in the Latombe proceedings is the independence of the DPRC. On 4 June 2026, the CJEU granted Microsoft permission to intervene in support of the European Commission, demonstrating the willingness of major US technology companies to defend the DPF.
However, a procedural complication is that the CJEU in the Latombe proceedings will generally assess the validity of the DPF based on the facts and circumstances when it was adopted in 2023. The CJEU will therefore need to consider whether subsequent developments, such as Trump v. Slaughter, should be taken into account in the appeal.
What should organisations do now?
No immediate need for panic - DPF remains valid
The DPF remains formally in force unless and until it is repealed by the European Commission or annulled by the CJEU. The Latombe appeal remains pending and judgment has yet to be delivered. Max Schrems has not yet issued formal proceedings and, even if he does, it is likely to take years rather than months for the CJEU to issue a judgment.
Prospect of the DPF continuing to operate
The Slaughter decision calls into question whether the FTC and other elements of the DPF infrastructure satisfy the requirement for independent oversight that lies at the heart of the EU adequacy framework. Unless the legal or political position changes, there is a serious question as to whether the DPF can survive in its current form.
Prepare for the collapse of the DPF
Given the uncertain future of the DPF, organisations should take proactive steps to prepare for potential disruption. There is no one-size-fits-all solution, but a practical starting point is a two-step approach.
First, organisations should map their existing EU-US data transfers (and UK-US transfers and Swiss-US transfers, given these jurisdictions also piggy back on the DPF), including those involving vendors and sub-processors, and identify the transfer mechanisms on which those transfers rely, whether the DPF, SCCs or BCRs.
Secondly, organisations should review the adequacy of their existing TIAs and consider refreshing those assessments as necessary. Particular attention should be paid to implementing (further) supplemental measures, especially given that questions have been raised regarding the independence of the FTC, DPRC and PCLOB. This could include measures such as encryption, data residency, and access controls. Organisations should also, to the extent this has not already been done, start building resilience into their transfer mechanisms (e.g., where the DPF is primarily relied upon, building in a contractual mechanism that the SCCs will apply if the DPF is invalidated).
With uncertainty once again gathering on the horizon, organisations need to consider fallback mechanisms and appropriate contractual protections now, rather than waiting for a "compliance cliff".