Thought for the week: What Slaughter and a World Cup penalty have in common

The U.S. Supreme Court's Slaughter decision may complicate the future of the EU-U.S. Data Privacy Framework, making preparedness and business continuity planning increasingly important.

Contributors:
Brian Hengesbaugh
CIPP/US
Global Chair, Data and Cyber
Baker McKenzie
Editor's note
The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
This article is part of an ongoing series that will explore issues or recent developments in data, cybersecurity and artificial intelligence governance.
In Thursday's World Cup match between Portugal and Croatia, Croatia held a 1-0 lead until the 68th minute. Then, things changed. Croatia's Nikola Vlašić was ruled to have wrestled/pulled down Portugal defender Renato Veiga inside the penalty area during a corner kick. This awarded Portugal a penalty kick. Portugal's superstar, Cristiano Ronaldo, then converted that penalty kick into a goal. Game tied 1-1. Portugal went on to win the match in stunning fashion 2-1, and advance to the round of 16.
I immediately thought of the U.S. Supreme Court's decision in Trump v. Slaughter, and its impact on the EU-U.S. Data Privacy Framework. Let me explain. The Supreme Court ruled in Slaughter that a statutory provision that only permits the president to remove members of the Federal Trade Commission for cause, i.e., for "inefficiency, neglect of duty, or malfeasance in office," was unconstitutional.
In other words, the president has authority to remove commissioners with or without cause. Accordingly, President Donald Trump's decision to remove a Democratic appointee Rebecca Kelly Slaughter without cause is constitutional and she has no right to reinstatement. This decision effectively overturns longstanding precedent in Humprey's Executor and has implications for FTC enforcement priorities and other agency actions.
What does Slaughter have to do with DPF?
In brief, the DPF is the third iteration of a trans-Atlantic data protection arrangement between the European Commission and the U.S. Department of Commerce. From a legal perspective, the European Commission issued a decision in 2023 that the DPF provides an "adequate level of protection" within the meaning of Article 45 of the EU General Data Protection Regulation. Predecessor versions of DPF — consisting of Privacy Shield and my beloved Safe Harbor — have been invalidated by the Court of Justice of the European Union in 2020 and 2015, respectively.
The CJEU's focus in those decisions has been on European privacy concerns in relation to U.S. government surveillance. In response, the DPF embeds a strong response to such concerns, including substantive and procedural privacy protections on U.S. government surveillance for European citizens, and ultimately an appeal right for EU citizens to a Data Protection Review Court.
Beyond government surveillance, another key ingredient for an “adequacy” decision under GDPR Article 45(2)(b) is the existence and effective functioning of one or more independent supervisory authorities. In prior CJEU decisions on Privacy Shield and Safe Harbor, the independence of the FTC — as the agency that enforces DPF rules — has not been a significant issue.
That may now change with the Slaughter decision. In this way, the Slaughter decision effectively awards a "penalty kick" of sorts to the challengers of the DPF. We'll see if they are able to convert a goal in their arguments before the CJEU. Nothing is firmly decided at this point, but the decision could play a key factor.
Who wins and who loses if DPF is invalidated?
I think the list of winners is short if the DPF is invalidated. It includes Latombe, the French National Assembly member who brought the current challenge to the DPF. It also includes some nonprofit advocates, such as Max Schrems, who seem poised to add his challenge to the DPF following the Slaughter case.
My view is that it is not accurate to count EU citizens among the winners for a couple of reasons. First, such a decision would threaten to limit their access to U.S. digital and other products and services which they seem to very much appreciate. Second, if EU citizens themselves had serious privacy concerns about U.S. government surveillance, we would have expected to see more use of the procedural rights afforded to them under the DPF. From the most recent Office of Civil Liberties, Privacy and Transparency Annual Report, it seems that only one or possibly two EU citizens have actually raised complaints via this mechanism. Think about that for a moment. All this attention on U.S. government surveillance, and only one or two actual complaints over the years. One could try to argue that it's complicated for them, but in reality, all EU citizens need to do is reach out to their local EU data protection authority, who would transmit the complaint to the Office of Civil Liberties.
In contrast, many stakeholders lose if the DPF is invalidated. First and foremost, EU companies lose significantly. The DPF is a basis for them to have assurance they are meeting their GDPR obligations to address the "adequate protection" requirement when they do business with U.S. companies. And, by virtue of its structure, the DPF provides that privacy protection on the government surveillance, i.e., the transfer impact assessment, not just for U.S. businesses that participate directly in DPF, but it also meets the transfer impact assessment for recipients that rely on EU standard contractual clauses, binding corporate rules and the like.
Second, and perhaps more importantly, much has been made in recent weeks with the turmoil over non-U.S. company access to artificial intelligence frontier models following U.S. government decisions under export controls and other grounds. The invalidation of the DPF would be an "own goal" — to stay with the World Cup analogy — that would cut off EU business access to these frontier models to the extent that their use case would involve personal data.
U.S. companies that do business with EU customers would also be harmed if the DPF is invalidated. As was the case when Privacy Shield and Safe Harbor were invalidated, it would be infeasible for EU data protection authorities to aggressively enforce a sudden unavailability of an adequacy mechanism across the entire EU to U.S. market. My expectation is that U.S. companies would need to deal with ad hoc, random enforcement actions motivated by individual complaints or initiatives by authorities. This would introduce significant uncertainty into the data flows that underpin trillions of dollars in trans-Atlantic trade in services.
EU citizens also would be harmed on several levels. Perhaps most notably from an EU fundamental rights perspective, the DPF substantive and procedural rights that they enjoy right now would be revoked. In particular, the availability of the Data Protection Review Court and all the substantive and procedural rights to challenge U.S. government surveillance will be removed, as it is predicated via U.S. executive order on an EU adequacy decision that allows U.S. business to receive personal data from EU.
From a broader commercial perspective, EU citizens will also lose the benefit of having the FTC enforce DPF privacy rules against U.S. companies on U.S. territory. This would not happen right away, because the FTC will still be able to enforce against U.S. companies for the time period that such companies participated in DPF while it was valid. Over time, this will be a significant loss.
What should companies do now?
There are several steps companies could start to take now to address these rapidly developing issues.
Let your voice be heard
Now is an excellent time to connect with government affairs teams in Europe with responsibility for digital and data matters and see whether or how you could intervene directly or through trade associations if you'll be impacted by an adverse CJEU ruling on the DPF. I also never miss the chance to remind people that we really need an effective treaty among western democracies on data, cyber and AI to establish some certainty for business and privacy/human rights, so this is something to mention to government agencies with authority in this realm.
Start to prepare for alternative cross-border data transfer solutions
Initial steps could include revisiting pre-DPF versions of transfer impact assessments and other documentation around cross-border transfers. This can include both intra-group agreements, as well as standard provisions in third-party contracts for contingencies if there are disruptions in cross-border data flows. Medium to longer-term planning could also take into consideration whether data should be directed to "lower risk" third countries that may be more favored from an EU privacy perspective, such as India and/or different solutions.
Build more resilience into business continuity planning, including AI models
Businesses need to start thinking more about business continuity in an increasingly fragmented world. Long-term planning should reflect a diverse range of risks that could impact cross-border service delivery and development activities. Everything from potential sudden changes to availability of EU-U.S. data flows such as the invalidation of the DPF, to adoption of export control restrictions on access to frontier AI models, to ongoing enforcement or development of national security rules such as the U.S. Department of Justice rule.
Raise with senior leadership that this could become an issue
It's important to incorporate the risks on EU-U.S. cross-border data transfers into the mix of considerations, e.g., geopolitical risks, data localization, national security concerns, so senior leadership is not surprised if something significant develops in this area.
To continue the World Cup analogy, the game is not over for DPF just because of the Slaughter decision. Much of the game is yet to be played, but the players need to be focused and working diligently if there is to be a successful outcome.

This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Submit for CPEsContributors:
Brian Hengesbaugh
CIPP/US
Global Chair, Data and Cyber
Baker McKenzie



