June 29 was the strangest day American privacy law has had in years. In the morning, the Supreme Court ruled in Chatrie that your cell-phone location history is protected by the Fourth Amendment — a genuine, decades-overdue win we covered the day it landed. But the second decision the Court issued that day may end up mattering just as much to your data, and almost nobody outside of Brussels noticed it was a privacy case at all.

In Trump v. Slaughter, a 6-3 majority held that statutory protections shielding Federal Trade Commission commissioners from at-will presidential removal are unconstitutional. Embracing the “unitary executive” theory, the Court reversed nearly a century of precedent — Humphrey’s Executor, the 1935 case that made independent agencies possible — and concluded that the President must be able to fire FTC commissioners for any reason, or none.

Domestically, that’s a story about administrative law and the future of every independent agency in Washington. Internationally, it’s something more specific: it may have just killed the legal arrangement that lets your data cross the Atlantic.

259 citations to a thing that no longer exists

The EU-US Data Privacy Framework — the 2023 adequacy deal that authorizes routine transfers of Europeans’ personal data to American companies — is built on a load-bearing assumption: that the United States has independent authorities overseeing how that data is protected. EU treaty law demands it. Article 8 of the Charter of Fundamental Rights requires that data-protection compliance be subject to control by an independent authority. The European Commission’s adequacy decision references the FTC’s independence, by noyb’s count, 259 times.

As of June 29, that independence is not merely weakened — the Supreme Court has declared it constitutionally forbidden. There is no independent FTC because, per the majority, there cannot be one.

Max Schrems, whose lawsuits already destroyed two previous transatlantic frameworks — Safe Harbor in 2015 and Privacy Shield in 2020 — wasted no time. His organization noyb sent a formal letter to the European Commission the same day the ruling came down: “Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US.” noyb says a lawsuit seeking annulment at the Court of Justice of the EU will follow within weeks.

Call it what everyone in the field is already calling it: Schrems III.

Why this one is different

The previous two rounds of this fight were, at least in theory, fixable. After Schrems I and Schrems II, the US could offer new commitments — a redress mechanism here, an executive order on signals intelligence there — and the Commission could paper over the gaps with a new framework. It was a legal Ship of Theseus, rebuilt twice while sailing.

This time the defect is constitutional. The Supreme Court has not said the FTC happens to lack independence; it has said the US Constitution prohibits the kind of independent oversight body that EU law requires. No executive order can fix that. No renamed framework can promise what the Constitution now forbids. The usual repair kit is empty.

And the damage is not confined to companies relying on the Framework itself. Standard Contractual Clauses and Binding Corporate Rules — the fallback mechanisms most multinationals keep in their back pocket — require transfer impact assessments that evaluate US law and oversight. Those assessments have leaned on the same now-defunct independent enforcement. If the FTC is a political instrument of whoever holds the White House, every one of those assessments needs to be rewritten, and it is genuinely unclear what a favorable one would even say.

What happens now

To be precise about the current legal state: the adequacy decision remains in force. The Supreme Court ruling does not invalidate it, and transfers under the Framework are lawful today. The European Commission has responded with studied calm, saying it “continues to monitor” whether US protections remain adequate and noting the GDPR gives it tools to suspend or amend the decision if they don’t.

But the trajectory is hard to miss. A CJEU annulment case takes two to three years — and the CJEU has annulled this species of decision twice before, on thinner grounds. The Commission can drag its feet, but it cannot make the Supreme Court’s holding disappear, and the Court of Justice has shown zero patience for adequacy decisions built on wishful thinking.

For the thousands of businesses that moved data across the Atlantic this morning — cloud hosting, payroll, analytics, CRM, all of it — the practical takeaway is uncomfortable: the legal basis for those flows is now a countdown timer with an unknown but probably short duration. Companies that lived through the Privacy Shield collapse in 2020 remember the scramble. This one is foreseeable years in advance, which means the excuses for being caught flat-footed are gone.

The bigger picture: one country, two directions

Hold the two June 29 rulings side by side and the incoherence is striking. In Chatrie, the Court told police they need a warrant to pull your location history, because privacy in the digital age demands structural protection from state power. In Slaughter, the Court dismantled the structural protection that kept the nation’s chief privacy regulator insulated from that same state power. The Constitution, apparently, protects your data from the police but forbids protecting the agency that protects your data from everyone else.

Europe noticed. The lesson Brussels will draw — is already drawing — is that American privacy protection is whatever the current administration wants it to be, revocable at will. That is precisely the condition adequacy law exists to guard against.

Your data doesn’t care about administrative law doctrine. But the pipes it flows through do, and on June 29 the Supreme Court quietly marked the transatlantic pipe for demolition. The only question left is the date.