Dieser Beitrag ist nur auf Englisch verfügbar.

The one word holding up EU-US data transfers

Melious

Most infrastructure decisions do not hinge on a single word. This one does. The word is "independent", and on Monday the US Supreme Court took it away from the agency the EU was counting on.

What the court actually decided

On 29 June 2026, in Trump v. Slaughter, the Supreme Court ruled 6 to 3 that the Federal Trade Commission's "for cause" removal protections violate the separation of powers. FTC commissioners can now be fired by the president at will. The decision overturns Humphrey's Executor v. United States, the 1935 precedent that had served as the legal foundation for the independence of many US agencies for nearly ninety years.

Read narrowly, this is a US domestic story about presidential power. Most coverage treats it that way. But there is a second layer that almost no one outside legal and compliance teams is talking about, and it runs straight through every European company that keeps data on a US cloud.

Why a European company should care

EU treaty law, specifically Article 16(2) TFEU and Article 8(3) of the Charter, requires that oversight of data protection be carried out by an independent authority. For a third country to receive EU data freely, it has to offer essentially equivalent protection, and independent oversight is part of that bar. The US appointed the FTC to play that role. The European Commission's EU-US adequacy decision relies on the independent FTC 259 times.

That independence is what made the construction hold. As of Monday, it is gone. The watchdog the entire arrangement leans on now serves at the pleasure of the White House.

Where it actually bites: the Transfer Impact Assessment

Here is the part that matters for the people doing the real work. Many companies do not rely on the adequacy decision at all. They run on Standard Contractual Clauses, and SCCs depend on a Transfer Impact Assessment. That assessment leans on the same formerly independent US bodies, the PCLOB and the Data Protection Review Court, to argue that EU data is adequately protected once it lands.

The independence of US oversight is exactly what a TIA assesses. Since Monday, that document carries one problem it did not carry on Friday. You do not have to accept anyone's worst-case reading to see it. You just have to fill in the form honestly.

The trapdoor was built last September

If someone objects that the framework was just upheld, they are right, and it does not help them. In September 2025, the EU General Court dismissed the Latombe challenge and confirmed the adequacy decision. But it assessed the framework only as it stood on 10 July 2023, and it stressed the Commission's ongoing duty to monitor the US and to suspend, amend or repeal the decision if protections deteriorate.

That is a trapdoor. The court itself wrote the condition under which the framework can be reopened: a material change in US law or practice after July 2023. Trump v. Slaughter is exactly such a change. The strongest argument here is not an activist's. It is the EU court's own.

This is not happening in isolation

The ruling lands in the middle of a broader European move. On 3 June 2026 the Commission proposed the Cloud and AI Development Act, a four-tier cloud sovereignty framework that scores providers by jurisdiction rather than geography, which is why a provider with servers in Frankfurt can still fail the top tiers. On 25 June, the Commission preliminarily designated AWS and Azure as gatekeepers under the Digital Markets Act. Both are still proposals or preliminary findings, and both can be contested. But the direction is one way, and it is not toward more dependence on US infrastructure.

Where Melious sits

This is the question that just got harder for everyone running EU data on a US cloud. For us it was never open. Open-weight models, hosted in Europe, data under EU law. No US provider sits in the data path, so there is no US oversight to assess.

If your next Transfer Impact Assessment just got heavier, that is the conversation worth having now, not after the Commission moves or the next Schrems case is filed.

#### If jurisdiction is the open question in your stack

Melious runs open-weight models on European infrastructure, with data under EU law and no training on customer data. The same OpenAI-compatible endpoint, a different jurisdiction.

See how it works

Sources: Trump v. Slaughter, US Supreme Court · noyb analysis · EU-US adequacy decision, EUR-Lex. This article is general information, not legal advice.