The EU-US Data Privacy Framework Under Pressure: What the Supreme Court Ruling Means for Health Data Transfers

Written by:
Friedrich Lämmel
EU-US Data Privacy Framework

Organizations that transfer health data between the EU and the United States have spent years navigating an unstable legal landscape. It has been a rocky decade. Safe Harbor was invalidated in 2015. Privacy Shield followed in 2020. The EU-US Data Privacy Framework (DPF), adopted in 2023, was meant to be the durable solution as the third attempt to establish a legal basis for transatlantic data flows that could survive judicial scrutiny. But like all good it must come to an end as well.

On June 29, 2026, the US Supreme Court issued a ruling that puts that framework in serious doubt. The decision does not immediately invalidate the DPF. But it removes one of the foundational pillars the framework was built on, and the consequences for organizations handling health data across borders could be significant, and today we will go through them together. 

What Is the EU-US Data Privacy Framework?

The EU-US Data Privacy Framework is an adequacy decision issued by the European Commission in July 2023. It allows US organizations certified under the DPF to receive personal data from the EU without needing to put additional transfer mechanisms in place, such as Standard Contractual Clauses or Binding Corporate Rules.

The DPF was built on the premise that two specific US institutions, the Federal Trade Commission and the Privacy and Civil Liberties Oversight Board, could serve as independent enforcement and oversight bodies, giving the Commission grounds to find that US law provided effective rights, oversight, and redress for EU data subjects.

What Did the Supreme Court Actually Rule?

The case, “Trump v. Slaughter”, arose after President Trump dismissed two Democratic FTC Commissioners without citing any statutory grounds for removal, despite federal law restricting dismissal to inefficiency, neglect of duty, or misconduct.

The Supreme Court ruled 6-3 that those restrictions are unconstitutional, following the "unitary executive theory", the principle that the President must have direct control over all executive branch agencies. The practical result: the FTC is no longer genuinely independent, and its enforcement priorities can be shaped directly by whoever holds the presidency.

Why This Ruling Directly Threatens the DPF

The FTC's Central Role in the Adequacy Decision

The European Commission's adequacy decision references the FTC's independence 259 times. The entire logic of the DPF rests on the assumption that the FTC operates as an independent watchdog with two core responsibilities:

  • Enforcing DPF commitments made by US-certified companies
  • Providing a credible avenue of redress for EU individuals whose data protection rights have been violated

GDPR requires that data protection supervision be carried out by independent authorities. An FTC subject to direct presidential control does not meet that standard. The legal foundation the Commission relied on has shifted.

The PCLOB Problem

The Supreme Court ruling is not the first blow to the DPF's oversight structure. In January 2025, President Trump dismissed three members of the Privacy and Civil Liberties Oversight Board (PCLOB). It is the body responsible for independently reviewing intelligence surveillance activities and overseeing the DPF's redress mechanism. With the PCLOB lacking a quorum, several critical functions came to a halt:

  • Annual review of DPF privacy protections
  • Oversight of the redress mechanism that EU individuals are supposed to use when their data rights are violated
  • Independent assessment of intelligence surveillance activities affecting EU data subjects

The Supreme Court ruling compounds an oversight framework that had already been significantly weakened.

This Has Happened Before

Schrems I: The End of Safe Harbor (2015)

Safe Harbor was struck down by the CJEU in October 2015 after Max Schrems complained that US surveillance law, the NSA programs revealed by Edward Snowden, made adequate protection of EU citizens' data impossible.

Schrems II: The End of Privacy Shield (2020)

Privacy Shield fell in July 2020 for the same reason: US law had not changed sufficiently to ensure effective redress, and the CJEU raised concerns about the independence of the US oversight mechanisms the adequacy decision relied on.

Both frameworks were struck down because the underlying legal reality in the US did not match the assumptions the adequacy decision was built on. The current situation may follow the same trajectory.

Is a Schrems III Coming?

NOYB, the European privacy organization behind both Schrems I and Schrems II, has already indicated it intends to challenge the DPF, describing the ruling as providing the missing legal argument for a third invalidation: that US enforcement mechanisms no longer meet EU standards of independence. The Commission has stated it will assess whether the ruling affects the DPF's validity. A challenge could reach the courts through several routes:

  • NOYB filing a direct challenge to the DPF adequacy decision before a national data protection authority
  • A national DPA referring the question to the Court of Justice of the European Union
  • The European Commission itself suspending or withdrawing the adequacy decision if it concludes it is no longer defensible

A third invalidation would not happen immediately, but organizations that rely solely on the DPF should not interpret the absence of immediate action as an absence of risk.

Why Health Data Faces Compounded Risk

Article 9 of the GDPR designates health data as "special category" data, subject to stricter protections than ordinary personal data. Processing it requires not just a lawful basis under Article 6, but an additional condition under Article 9, such as explicit consent or a specific public interest justification.

For organizations transferring health data from the EU to the US, any disruption to the DPF is a compounded problem. Replacing it with alternative mechanisms for special category data requires more documentation, more legal analysis, and more operational change than for ordinary personal data.

What Remains if the DPF Falls

Standard Contractual Clauses (SCCs)

SCCs survived Schrems II but require a Transfer Impact Assessment confirming that destination country law does not undermine the protections provided. For health data transferred to the US, that means careful analysis of US surveillance law - the same concern behind both previous invalidations.

Binding Corporate Rules (BCRs)

BCRs allow multinationals to transfer data within a corporate group under internally approved policies. They are robust but resource-intensive, making them impractical for smaller digital health companies and research institutions.

EU Data Residency

Keeping EU health data within the European Economic Area eliminates the transfer question entirely, the most straightforward path to compliance certainty for organizations where it is operationally feasible.

What Digital Health Organizations Should Do Now

Waiting for regulatory clarity before acting is a risk in itself. Organizations that depend on transatlantic health data transfers should take several steps now, regardless of how the DPF situation develops.

  1. Audit current transfer mechanisms: identify which data flows rely on the DPF and which use SCCs, BCRs, or other bases
  2. Do not rely solely on the DPF: begin establishing alternative mechanisms for critical data flows so that a DPF invalidation does not require an emergency response
  3. Conduct or update Transfer Impact Assessments: if SCCs are part of your transfer framework, ensure the supporting TIAs reflect the current US legal landscape
  4. Prioritize EU data residency where possible: particularly for health data, keeping data within the EU eliminates the need to rely on transfer mechanisms that may become unstable
  5. Monitor the EU Commission's assessment: and engage legal counsel with data transfer expertise to interpret the implications for your specific situation

How Thryve Approaches Data Compliance

Regulatory uncertainty around transatlantic data flows is not a new problem, and it is not going away. At Thryve, our infrastructure is built around EU data residency and GDPR-compliant data flows as a foundational principle. It’s important to take action on the things that are in our control zone. And with Thryve, you can ensure yourself from all the data scrutiny. 

With our API, you get:

  • EU Data Residency: Health data processed and stored within the European Economic Area, eliminating dependency on transatlantic transfer mechanisms
  • GDPR-Compliant Infrastructure: Consent management, data subject rights, and compliant data flows built into the platform at the infrastructure level
  • Standardized Biometric Models: Normalized health data across 500+ devices and sources, with privacy and compliance controls applied consistently regardless of data origin

If your organization handles international health data transfers, it is time to view compliance as the baseline of the health solutions, and Thryve's infrastructure supports compliant, resilient health data operations.

Book a demo with Thryve!

Friedrich Lämmel

CEO of Thryve

Friedrich Lämmel is CEO of Thryve, the plug & play API to access and understand 24/7 health data from wearables and medical trackers. Prior to Thryve, he built eCommerce platforms with billions of turnover and worked and lived in several countries in Europe and beyond.

About the Author