I've been sitting with the US Supreme Court's decision in Trump v. Slaughter since it landed on Monday and I still can't quite believe where it leaves us - in one 6-3 ruling the court has taken the single thing our entire data deal with America was built to rely on and abolished it - the independence of the Federal Trade Commission - given so many people are talking about it, I figured I would also share my thoughts...

The whole Data Privacy Framework (DPF) rests on one promise, that American oversight of our data is independent and effective enough to pass as 'essentially equivalent' to what we have in the EU - and the Commission leaned on the FTC's independence so heavily that they mentioned it 259 times as being evidence of such protections existing. So it's no small matter when the Supreme Court turns round and rules, in as many words, that the FTC isn't independent of the President at all.

Roberts left no wriggle room, he wrote that the FTC "unquestionably exercises executive power, and must therefore be controlled by the" President, that Slaughter had "served as the President's subordinate" and that he was "entitled to cut her tenure short" - and you only need to set that beside a decision calling the same agency independent 259 times to see that Brussels and SCOTUS are now contradicting each other. Slaughter herself was sacked with a letter that didn't mention a single one of the statutory grounds, telling her only that keeping her on would be "inconsistent with my Administration's priorities" - which tells you everything you need to know about the independent protection our personal data is now flowing towards.

What I keep coming back to is the irony of it, the case they had to reach back and overturn to get here, Humphrey's Executor, was itself a row about a President sacking an FTC commissioner - Roosevelt getting rid of a man called William Humphrey in 1935 over nothing more than a policy disagreement - and the court of that day looked at it and said no, that's exactly what the FTC is built to be protected from - and here we are 91 years on with a very different court staring at the same agency and the same firing without cause whilst reaching the opposite conclusion.

Removal is only part of it though, the part I care about more is that even with its independence intact the FTC's grip on the things that actually matter now - tracking, profiling, the data brokers, the models being trained on all of us - was never written into law by Congress in the first place, it hangs entirely off the FTC's own expansive reading of Section 5, the unfair-or-deceptive-practices clause it has spent decades stretching to cover harms the Act never mentions because somebody had to and nobody else would. Chevron is what kept that reading alive - and Loper Bright killed that two years ago, so a federal judge now gets to decide for himself whether "unfair or deceptive" really reaches a tracking pixel or a training set - and a good many of them will read the words and say plainly that it doesn't.

So the agency the Commission called independent 259 times is being gutted from both ends at once, its independence gone under Slaughter and its reach hollowed out by Loper Bright - and the most worrying thing of it all is that the very FTC we're relying on to protect European personal data is the one Meta and Alphabet are already circling back home - Meta went to court in 2023 to fight the Commission reopening its privacy order and lost the constitutional argument for one reason only, that Humphrey's Executor was still standing in the way - and Humphrey's is precisely what the court has now demolished, so the door Meta was banging on has come off its hinges - and that's before you add the Jarkesy line of cases quietly stripping the FTC of the power to run its own in-house penalty trials at all.

What really gives the game away is the exception they carved on the very same day - in a companion case, Trump v. Cook, the same court reached out to protect exactly one body from the President - the Federal Reserve - on the reasoning that letting him control the Fed would spook the markets and wreck monetary policy. So they understood full well what political control does to a body which is supposed to be independent, they just decided the money was worth shielding and the agency that looks after ordinary consumers and polices the DPF, covering hundreds of millions of Europeans wasn't worth the bother.

Some would ask whether we're honestly better off with judges reading the law rather than political appointees inside an agency - and in a country whose separation of powers still worked I might even lean that way, but sadly that isn't the case. My bigger worry is competence - a regulator who deals with these issues every single day and has a team of experts working for them is far more likely to understand how a new technology impacts existing law or public policy, far quicker than a judge in a court room - and once you write your law in tight prescriptive terms the judge can only rule on the words in front of them, which leaves you waiting on the legislature to pass a fresh statute every time the technology (or political climate) changes - and that always ends badly, really badly - which is exactly why (in the EU) we create our laws on principles that are resilient to global changes (whether they be politics, technological or otherwise).

So where does all of this leave the DPF? The General Court threw out the Latombe challenge only last September and waved the DPF through, with an appeal now pending in front of the Court of Justice, though the Court did explicitly remind the Commission that it carries a standing duty to keep watching that order and to suspend or amend or repeal the finding the moment the protections slip. Well, they didn't just slip, they are currently collapsed in a heap at the end of the ramp in about as public a way as it's possible to imagine, SCOTUS has ruled that a body Brussels called independent 259 times actually answers to the President and can be sacked on a whim - the weather that morning, the colour of the commissioner's hair, whatever's soured his mood by lunchtime.

NOYB saw it instantly, within a day Schrems and his team had written to the Commission telling it to repeal the framework outright, with a fresh reference already being drafted to the Court of Justice - not to mention Latombe's pending appeal.

None of this stops Alphabet, Meta, Amazon et al from slurping up our personal data tomorrow, the framework's still live and thousands of companies are still leaning on it as I write. If the Commission's answer is to bury their heads in the sand and keep the agreement going because it's concerned about the political fallout, it's choosing the convenience of commerce over the fundamental rights it exists to protect - and handing Schrems his third win on the way.

For privacy professionals and Data Controllers/Processors - read what SCOTUS (especially Roberts) actually said and act on it now, before the CJEU annuls EU>US transfers for a third time.

It is inevitable, it is what I and everyone else I call a colleague has said since DPF came into effect. I don't think a single competent DPO out there (at least not that I know) ever believed DPF would stand long term and has told their Controllers to keep SCC's in the aisles - but that raises another question, if DPF doesn't provide an essentially equivalent level of protection given the latest SCOTUS ruling, neither can SCC's (which the Court already brushed against in Schrems II) - the only real answer is to get control of your stack and start to seriously think about data sovereignty, before the basket is crushed and all your eggs are broken.