---
title: "When the Load-Bearing Wall Comes Down"
description: "Key quote: Max Schrems: \"Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US.\" Why it matters:..."
url: https://kaynemcgladrey.com/blog/when-the-load-bearing-wall-comes-down/
date: 2026-07-01
modified: 2026-07-01
author: "Kayne"
image: https://kaynemcgladrey.com/wp-content/uploads/2026/07/CJEU-flag-and-logo.webp
categories: ["Blog"]
type: post
lang: en
---

# When the Load-Bearing Wall Comes Down

![Supreme Court](https://kaynemcgladrey.com/wp-content/uploads/2026/07/Supreme-Court.webp)

**Key quote:**

> Max Schrems: “Given that there are no independent authorities in the US anymore, we call on the European Commission to orderly withdraw the adequacy decision on the US.”

**Why it matters:**

Max Schrems has spent over a decade dismantling EU-US data transfer frameworks, and on June 29, 2026, the US Supreme Court handed him his latest tool. In [Trump v. Slaughter](https://www.supremecourt.gov/opinions/25pdf/25-332_qn12.pdf), a 6-3 majority overturned Humphrey’s Executor, the 1935 precedent shielding FTC commissioners from presidential removal. noyb, Schrems’s organization, declared the basis for any deal effectively invalid within hours – you can tell they had the press release ready to go. They’ve sent a [formal letter](https://noyb.eu/sites/default/files/2026-06/Letter_noyb_EU-US_data_transfers.pdf) to the European Commission urging a managed repeal of the DPF adequacy decision. This is pretty much the Schrems III challenge people have been expecting. I have a personal interest in this as a former client (prior to Schrems II) had consolidated all of their global data in the US, and we had to pick apart their legal obligations when Schremsy won that round.

The European Commission relied on FTC independence 259 times inside the DPF adequacy decision. That detail isn’t minor or buried deeply in footnotes. The FTC served as the designated US equivalent of an independent data protection authority simply because we don’t have a national privacy regulator (although it keeps coming up in Congress). EU treaty law requires independent oversight under Article 16(2) TFEU and Article 8(3) of the Charter. Removing the FTC’s independence means that the European Commission need to have a re-think.

Schrems’ track record makes this threat entirely credible. In 2015, [he ended Safe Harbor](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:62014CJ0362) after Snowden revealed the NSA exceeded EU proportionality standards while leaving citizens with zero redress. [Two years later](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:62018CJ0311), he targeted Privacy Shield because surveillance laws allowed bulk collection and the Ombudsperson lacked binding authority over intelligence agencies. Both frameworks eventually fell apart under sustained judicial scrutiny. Companies scrambled every single time a framework collapsed.

[This round](https://noyb.eu/en/us-supreme-court-just-blew-eu-us-data-transfers), the attack surface stretches wider than previous attempts. noyb argues that Standard Contractual Clauses and Binding Corporate Rules rest on the same flawed assumption regarding US enforcement independence. Transfer Impact Assessments under Article 14 require evaluating if US law permits compliance in practice. If the FTC loses independence and the DPRC exists only by executive order, defending those assessments becomes much harder legally. Schrems is taking aim at the entire legal basis of the existing agreement, rather than just one part of it.

Three weeks prior to the Slaughter ruling, the European Commission had released its [Tech Sovereignty Package](https://digital-strategy.ec.europa.eu/en/policies/eu-tech-sovereignty). Brussels worried the US CLOUD Act allows Washington to demand data from US providers regardless of storage location. There’s also quite a lot of money involved: EU spending on US cloud software reached $307 billion annually. The proposed package includes CADA with a four-tier Cloud Sovereignty Framework for procurement. It features Chips Act 2.0, an Open Source Strategy, plus a roadmap for energy digitization. So Schrems’ latest proposal is well-timed given the vibes, although the EU’s not going to have an easy time of creating their own sovereign tech stack from chips to AI any time soon.

US cloud providers will face direct exposure to this sovereignty push first. Major players like AWS, Microsoft, and Google became targets for the new cloud tender restrictions targeting dominance. Any US data center operator, AI developer, or semiconductor firm selling into EU public sector contracts will feel these procurement shifts. The EU’s open source mandate could lock proprietary vendors out of government business entirely.

For the broader DPF and SCC challenges brought by Schrems, the exposure widens significantly to include every US company receiving personal data from the EU. That includes SaaS providers processing customer data (who already have fun times with the GDPR), banks handling transactions, airlines managing passenger records, healthcare firms in joint research, and hospitality chains serving European guests. Small businesses generally lack the resources and patience to manage complex cross-border compliance shifts easily. Even the UK-US Data Bridge rests on the same FTC and DPRC foundation. If the European Commission moves, the UK will probably be pressured to follow or risk losing its own adequacy status.

Several triggers will dictate the timing of these changes moving forward. The Latombe appeal, Case C-703/25 P, sits pending at the CJEU with no hearing date set. noyb’s challenge could take years to reach a final judgment despite the urgency Schrems is trying to drum up. And oversight remains hobbled since the PCLOB lost its quorum when Trump fired three members by email. The Slaughter ruling settled the removal-powers question the PCLOB case waited on, meaning that body stays ineffective.

Companies shouldn’t panic, but stop treating the DPF as permanent protection, and maybe re-consider what data they’re storing, receiving, and processing from the EU. Add these to your to-do list for Q3:

- Maintain Standard Contractual Clauses alongside DPF certification for all high-volume flows involving sensitive data
- Refresh Transfer Impact Assessments right now because your arguments just got much harder to defend
- Map every processor in the US to understand your true dependency fully if you’re handling EU data
- Start to create a plan for how each flow would need to change if the DPF ends

Anyone who scrambled after the last collapse knows the cost of working under deadline pressure. Better to plan ahead and have the proverbial ‘big red binder’ to pull down off the shelf for this one.
