US Supreme Court FTC Ruling Raises Fresh Threat to EU–US Data Transfers
A recent US Supreme Court ruling on the FTC's authority is creating new uncertainty for EU–US data transfer agreements. Legal experts warn the decision could undermine existing frameworks like the Data Privacy Framework (DPF), potentially complicating transatlantic data flows. The ruling adds to ongoing challenges in aligning US surveillance practices with EU privacy standards.
Background
- The US Supreme Court ruled (April 2025) that the Federal Trade Commission (FTC) can seek monetary relief in federal court for past unfair or deceptive practices without first going through its own administrative process. This expands the FTC's enforcement powers significantly.
- The ruling unsettles the EU–US Data Privacy Framework (DPF), which replaced the invalidated Privacy Shield. The DPF relies on the principle that US law provides "essentially equivalent" protections to EU law when US authorities access European data.
- European critics already argued the DPF was weak because US surveillance laws (e.g., FISA Section 702) and remedies for non-US persons fell short. Now the FTC's stronger hand raises fresh concerns: if the FTC can more easily impose penalties on companies, EU regulators may argue that US enforcement mechanisms have changed in ways that undermine the adequacy ruling that allows data flows.
- Trade and tech groups worry this could trigger a new challenge to the DPF in the European Court of Justice (like the Schrems II case that killed Privacy Shield), potentially disrupting the legal basis for thousands of transatlantic data transfers.