On 29 June 2026, the US Supreme Court decided Trump v. Slaughter. In a six-to-three decision it overturned Humphrey's Executor, a 1935 precedent, and ruled that the President can remove the heads of independent agencies at will. Most coverage read it as a story about presidential power. For anyone responsible for data in Europe, it is also something else. The legal floor under EU-US data transfers just cracked.

The Federal Trade Commission enforces the American side of the EU-US Data Privacy Framework, the arrangement that lets European companies send personal data to US providers. That arrangement holds because the European Commission judged US protection "essentially equivalent" to our own, and that judgment rests on the FTC being independent. The adequacy decision refers to that independence 259 times. This is not a detail. Independent oversight is written into EU treaty law. Remove it and the legal basis does not weaken, it disappears.

So what does this mean for European organizations? For now, less than the headlines suggest. The adequacy decision stays in force until the Commission repeals it or the European Court annuls it. Max Schrems' privacy group noyb, whose earlier cases brought down the two previous transfer deals, is filing a new complaint in the coming weeks. That would become the third Schrems case, and a final ruling usually takes two to three years. So this is not a verdict. It is a warning, with lead time. The gap between "nothing changes today" and "the basis is gone" is exactly where organizations need to get to work.

The real question this raises is not solely a legal one. It is about dependency. Your compliance stands on foundations you did not build and cannot control. And the shift that just happened is political, not commercial or technical. It came from a decision inside another country's own legal system, and no European organization had a say in it. No vendor contract can put it back.

Here is what that dependency looks like up close, through a simple but fundamental example. Ask a vendor whether they collect your visitors' IP addresses and you will often hear "we don't store them," or "they're anonymized." Both can be true. Both answer a narrower question than the one you asked.

An IP address reaches a server by necessity. The server needs a return address, or nothing comes back to the visitor. So the address is sent, received, held for however brief a moment, and only then anonymized. "We don't store it" describes that last step and stays quiet about the first three. And the moment a page loads anything from another domain, a font from a font service, a script from a content delivery network, an embedded map or video, each of those servers receives the same address too. Much of it fires as the page loads, before the visitor has touched a consent banner.

When a question like this came up, it tended to land with me. Legal knew the rules and leadership knew the stakes, but the answer sat in the space between the law, the systems, and the data, and someone had to hold all three at once. Follow one real case through that space, all the way to what is processed, why, by whom, and under whose law, and the picture is almost always wider than the reassurance you started with.

"Your data stays in the EU" is the same move, one level up. It is true, and it answers where the data rests, not who can reach it, under whose law, at which moment. Those are the questions on the table.

And this is the inconvenient truth. Even when "we don't store it" comes with the right technical and contractual guardrails, US surveillance law still reaches data in motion and data held by the provider. That is the step the reassurance cannot cover, because it was never the vendor's to control. It belongs to the same legal system that just shifted under Slaughter.

Reach for the usual technical answers and you hit the same wall. Moving the servers into the EU does nothing, because US law was made to reach data held by US providers wherever it sits. Encryption with your own keys sounds better, until you understand the technical implications and the practical limits. Microsoft's own guidance limits its double-key option to your most sensitive data, on the order of five percent, and even that is optimistic, because it breaks search, breaks the collaborative parts of Office, and locks documents across devices. It looks like a solution on a vendor's slide. In most real cases, it is not one.

None of the usual answers reaches the core of it. Not governance, not a "sovereign" US cloud, not special encryption and double keys, not carefully worded assurances. Each settles a corner of the problem and leaves the middle untouched. The Dutch technologist Bert Hubert has argued for years that Europe made itself dependent on infrastructure it cannot control, and that others can set the rules or switch off at any time[Dutch]. This was a choice, not a necessity. The longer you sit with it, the harder it is to unsee.

In an earlier essay, I argued the most valuable data skill isn't technical. That still holds. But no single expertise solves a problem like this. You need enough technical understanding to see what actually happens to the data, enough system knowledge to tell a real requirement from a nice-to-have, and enough grasp of the law to know what it truly asks. And when those are three different people who never sit at the same table, or never speak the same language, the vendor's version wins by default.

None of this forces a decision today. That is the reason to start now. The framework still stands, but the third Schrems case is already being prepared, and the first two rewrote how every European company moves data. Two to three years of lead time is enough to do the quiet, useful work: map which of your processes actually depend on US providers, and get the people who understand the technology, the data, and the law into the same room, speaking the same language, while this is still planning and not a scramble.

The ground moved in a courtroom no European will ever enter, under rules none of us voted on. It will move again, and the next Schrems case decides when, not whether. More sovereignty promises will not carry you through it. Knowing exactly what your business depends on, and what that dependency rests on, will.

The Ground Under EU-US Data Transfers Just Shifted