.png)
Organizations that transfer health data between the EU and the United States have spent years navigating an unstable legal landscape. It has been a rocky decade. Safe Harbor was invalidated in 2015. Privacy Shield followed in 2020. The EU-US Data Privacy Framework (DPF), adopted in 2023, was meant to be the durable solution as the third attempt to establish a legal basis for transatlantic data flows that could survive judicial scrutiny. But like all good it must come to an end as well.
On June 29, 2026, the US Supreme Court issued a ruling that puts that framework in serious doubt. The decision does not immediately invalidate the DPF. But it removes one of the foundational pillars the framework was built on, and the consequences for organizations handling health data across borders could be significant, and today we will go through them together.
The EU-US Data Privacy Framework is an adequacy decision issued by the European Commission in July 2023. It allows US organizations certified under the DPF to receive personal data from the EU without needing to put additional transfer mechanisms in place, such as Standard Contractual Clauses or Binding Corporate Rules.
The DPF was built on the premise that two specific US institutions, the Federal Trade Commission and the Privacy and Civil Liberties Oversight Board, could serve as independent enforcement and oversight bodies, giving the Commission grounds to find that US law provided effective rights, oversight, and redress for EU data subjects.
The case, “Trump v. Slaughter”, arose after President Trump dismissed two Democratic FTC Commissioners without citing any statutory grounds for removal, despite federal law restricting dismissal to inefficiency, neglect of duty, or misconduct.
The Supreme Court ruled 6-3 that those restrictions are unconstitutional, following the "unitary executive theory", the principle that the President must have direct control over all executive branch agencies. The practical result: the FTC is no longer genuinely independent, and its enforcement priorities can be shaped directly by whoever holds the presidency.
The European Commission's adequacy decision references the FTC's independence 259 times. The entire logic of the DPF rests on the assumption that the FTC operates as an independent watchdog with two core responsibilities:
GDPR requires that data protection supervision be carried out by independent authorities. An FTC subject to direct presidential control does not meet that standard. The legal foundation the Commission relied on has shifted.
The Supreme Court ruling is not the first blow to the DPF's oversight structure. In January 2025, President Trump dismissed three members of the Privacy and Civil Liberties Oversight Board (PCLOB). It is the body responsible for independently reviewing intelligence surveillance activities and overseeing the DPF's redress mechanism. With the PCLOB lacking a quorum, several critical functions came to a halt:
The Supreme Court ruling compounds an oversight framework that had already been significantly weakened.
Safe Harbor was struck down by the CJEU in October 2015 after Max Schrems complained that US surveillance law, the NSA programs revealed by Edward Snowden, made adequate protection of EU citizens' data impossible.
Privacy Shield fell in July 2020 for the same reason: US law had not changed sufficiently to ensure effective redress, and the CJEU raised concerns about the independence of the US oversight mechanisms the adequacy decision relied on.
Both frameworks were struck down because the underlying legal reality in the US did not match the assumptions the adequacy decision was built on. The current situation may follow the same trajectory.
NOYB, the European privacy organization behind both Schrems I and Schrems II, has already indicated it intends to challenge the DPF, describing the ruling as providing the missing legal argument for a third invalidation: that US enforcement mechanisms no longer meet EU standards of independence. The Commission has stated it will assess whether the ruling affects the DPF's validity. A challenge could reach the courts through several routes:
A third invalidation would not happen immediately, but organizations that rely solely on the DPF should not interpret the absence of immediate action as an absence of risk.
Article 9 of the GDPR designates health data as "special category" data, subject to stricter protections than ordinary personal data. Processing it requires not just a lawful basis under Article 6, but an additional condition under Article 9, such as explicit consent or a specific public interest justification.
For organizations transferring health data from the EU to the US, any disruption to the DPF is a compounded problem. Replacing it with alternative mechanisms for special category data requires more documentation, more legal analysis, and more operational change than for ordinary personal data.
SCCs survived Schrems II but require a Transfer Impact Assessment confirming that destination country law does not undermine the protections provided. For health data transferred to the US, that means careful analysis of US surveillance law - the same concern behind both previous invalidations.
BCRs allow multinationals to transfer data within a corporate group under internally approved policies. They are robust but resource-intensive, making them impractical for smaller digital health companies and research institutions.
Keeping EU health data within the European Economic Area eliminates the transfer question entirely, the most straightforward path to compliance certainty for organizations where it is operationally feasible.
Waiting for regulatory clarity before acting is a risk in itself. Organizations that depend on transatlantic health data transfers should take several steps now, regardless of how the DPF situation develops.
Regulatory uncertainty around transatlantic data flows is not a new problem, and it is not going away. At Thryve, our infrastructure is built around EU data residency and GDPR-compliant data flows as a foundational principle. It’s important to take action on the things that are in our control zone. And with Thryve, you can ensure yourself from all the data scrutiny.
With our API, you get:
If your organization handles international health data transfers, it is time to view compliance as the baseline of the health solutions, and Thryve's infrastructure supports compliant, resilient health data operations.
Book a demo with Thryve!
Friedrich Lämmel is CEO of Thryve, the plug & play API to access and understand 24/7 health data from wearables and medical trackers. Prior to Thryve, he built eCommerce platforms with billions of turnover and worked and lived in several countries in Europe and beyond.