Skip to content
Chimera readability score 71 out of 100, Expert reading level.

Digital Privacy
02 Jul 2026 Mariano delli Santi
The end is nigh for US data transfers
The Supreme Court held that President of the United States can remove members of public offices at will. The judgment overturns well-established case-law that protected the independence of federal agencies, and has serious consequences for personal data transfers, digital rights, and the digital economy at large.
Personal data transfers between the EU and the US are made possible by the EU-US Data Privacy Framework (EU-US DPF), under which the US committed to protect personal data transferred to the US from its mass surveillance programmes. Data flows between the UK and the US depend on this scheme as well. The oversight of the framework rested on a number of US federal agencies, whose independence has now been gutted by the Supreme Court ruling.
The practical implications of this judgment are hard to understate for a country such as the UK, whose government and digital economy are highly dependent on US tech firms. It doesn’t only undermine the EU-US DPF, whose judicial invalidation is now guaranteed. US federal agencies have become structurally unable to act as meaningful legal guardians, making any future agreement with the US unworkable. Short-term fixes that were relied on in previous crises, such as Standard Contractual Clauses, would now prove ineffective: contracts are no solution against arbitrary State power, and there is no realistic prospect of a structural agreement being reached.
Likewise, the UK has recently reformed its data protection law to, potentially, allow personal data transfers to take place even if such protections are missing. If the UK were to pursue this path, however, it would lose adequacy status with the EU, and the consequences would be dramatic. In 2020, it was estimated “that the aggregate cost to UK firms of no adequacy decision would likely be between £1 billion and £1.6 billion” in legal and compliance costs alone. This does not account for the impact loss of adequacy would have on the EU-UK Trade and Cooperation Agreement, nor for its incompatibility with the non-diminution principle which Northern Ireland enjoys under the Good Friday Agreement and the Windsor Framework.
Hard truths require real solutions. The UK needs to depart from the failed path of technological dependency from the US and appeasement to US corporate interests. The new Labour leadership will have a difficult task at hand: charting a clear roadmap to digital sovereignty.
The Supreme Court Judgment Explained
In 2025, the Trump administration proceeded to replace democratic-affiliated members of several federal agencies with their own political allies. This purge reached both the US Federal Trade Commission (FTC) and the Privacy and Civil Liberties Oversight Board (PCLOB). Rebecca Slaughter, one of the FTC members who were fired, sued the US government, on the basis of well-established case-law that protected the independence of federal agencies. The case reached the US Supreme Court, which overturned such precedents and gave the President unfettered power to remove officials from public offices.
In the words of the US Office for Legal Counsel, independence is a means to “maintaining the separation of powers”, and a shield against legal decisions being reflective of partisan political agenda rather than the preservation of Justice. Sonia Sotomayor, a dissenting Justice within the Supreme Court, pointed out that the unfettered Presidential authority handed over by this judgment will “destroy the structure of government and […] take away from Congress its ability to protect” independent agencies. She continued by noting that, even under colonial rule, “Neither the king, nor parliament nor prime ministers in England at the time of the founding [of the United States] ever had an unqualified removal power”.
Thus, the Supreme Court has just undermined the integrity of the US regulatory environment as a whole. Tech companies who are based or operate in the US are now exposed to a new reality, where their legal obligations can be manipulated arbitrarily by the US administration.
A Death Warrant for Data Transfers to the US
Transfers of personal data to the US are at the centre of a decades-long legal controversy over the impact of US mass surveillance programmes on the security of European personal data. In 2022, the Biden administration signed an Executive Order that established a mechanism to protect personal data transfers to the US, and restrictions to the President’s authority to conduct surveillance programmes. This was the culmination of a long political process, started with the Data Free Flow with Trust initiative and the OECD declaration on government access to data, which sought to create baseline rule of law safeguards for the secure transfer of personal data among democratic countries.
On the basis of these commitments, the European Commission adopted the an adequacy decision for the so-called EU-US Data Privacy Framework (EU-US DPF), which legalises transfers of personal data between the EU and the US. However, the oversight of this framework rested on the FTC, the PCLOB, and the Data Protection Review Court. Article 8 of the Charter of Fundamental Rights of the EU requires oversight to be independent, to protect the overseers’ ability to enforce legal standards. By empowering the Trump administration to remove their members at will, the US Supreme Court undermined oversight, and thus the workability of the framework as a whole.
Max Schrems, a renowned privacy activist, has already pointed out that the invalidation of the US adequacy decision is not a matter of if but when, and called “on the European Commission to orderly withdraw the adequacy decision on the US”. Max Schrems already obtained the judicial invalidation of the previous US adequacy decisions twice, and the letter states that he is ready to seek a third judicial invalidation if the Commission does not act.
The UK is in a Tough Spot
In the UK, transfers of personal data to and from the US are underpinned by a so-called UK extension of the EU-US DPF: if or when the EU framework goes down, the “UK extension” will follow, making transfers of personal data to the US unlawful. To cope with the disruption this will cause, there are a few “easy fixes” that organisations and the UK government may try to pursue. Such options would, at best, be short-sighted and inadequate responses to the upcoming crisis. At worst, they would risk invalidating the UK adequacy decision.
UK organisations may try to rely on alternative mechanisms, such as Standard Contractual Clauses, that allow international data transfers to countries that lack acceptable data protection standards. However, the Schrems II judgment has already established that contractual arrangements are useless against US surveillance powers, and thus inadequate in this instance. This would leave UK organisations with the option to rely on encryption and key management. This is a technically-complex workaround that may work for some, but will be unfeasible for many.
The UK government could be tempted to use the new powers, introduced by the Data Use and Access Act (DUAA) 2025, to re-legalise transfers to the US. Contrary to the EU GDPR, the new UK international data transfers regime allows the Secretary of State to authorise personal data transfers to country that do not have independent or judicial oversight of data protection rules. Also, the DUAA lowered the standards that alternative transfer mechanisms, such as contractual clauses, need to reach in order to adequately protect personal data abroad.
If, however, the UK government were to take this path, the UK’s own adequacy decision would face repeal or judicial invalidation. The European Data Protection Board has already pointed out that adequacy “cannot be interpreted as not including the need for an independent supervisory authority and effective and enforceable data subjects’ rights”. Likewise, the UK adequacy decision sits on the commitment, made by UK authorities, to abide by these norms even if not listed in UK law. Notably, UK adequacy also establishes an unprecedented monitoring mechanism, where the Commission could require UK authorities to address any developments that undermine the level of protection afforded to EU personal data within three months – or else, face the repeal, suspension or amendment of the UK adequacy determination.
We need UK Digital Sovereignty
As it turns out, the General Data Protection Regulation deems transfers to the US to be unsafe not because of legal abstractions. It does, instead, capture the unsafe nature of these data transfers, and the high risk posed by technological infrastructure that can be weaponised by an unaccountable government.
The United Kingdom is highly dependent on US technology products and services. Its Invest2035 strategy has been centred around attracting foreign investments and firms. Its AI opportunities action plan encourages fast and loose adoption of AI products by the public sector, and heavy reliance on private (and, often, US based) companies for access to computing power. Peter Mandelson’s Tech Prosperity Deal aims to make the United States the principal technology partner for the UK.
This status quo now sits within the harsh reality that emerges from the US and its collapsing institutional environment, bringing up tough questions. How do you trust a “partner” which systematically evades constitutional check and balances? How reliable are US tech companies and service providers, when regulatory standards and contractual agreements have lost their meaning and enforceability? What will you do when you end up being locked you out of your email account or AI service, due to petty political motives pursued by the US administration of the day?
With ORG’s digital sovereignty report, we detailed how the UK needs a roadmap to de-risk its technological dependency: we must embrace open source and digital commons; strengthen competition and regulation in digital markets; and foster relationships with like-minded partners like the EU. The upcoming new Labour leadership will need to lay out a clear pathway to achieve this.
Read more about the Demand UK Digital Sovereignty campaign

Sentinel — Human

Confidence

This analysis is highly persuasive and grounded in specific legal and economic references, suggesting human authorship that blends expert knowledge with strong political commentary.

Signals Detected
low severity: Erratic sentence length and rhetorical shifts; blend of formal legal citation with highly emotive political rhetoric.
low severity: Strong, purposeful flow that links complex legal concepts (Schrems II, DPF) directly to geopolitical consequences (UK sovereignty); lacks the detached balance typical of pure synthesis.
medium severity: Argumentative skeleton matches a specific policy advocacy pattern: identifying a legal failure, tracing its fallout through international agreements, proposing a dependency correction (Digital Sovereignty), and assigning blame/future action.
low severity: Specific references to legal positions (Schrems II invalidation, specific costs) are integrated logically; no obvious signs of LLM confabulation in the factual linkages.
Human Indicators
The integration of highly specialized, yet emotionally charged, legal and economic facts (e.g., specific cost estimates for non-adequacy decisions, referencing Max Schrems' actions) suggests deep, personalized context.
The sustained polemical tone focused on demanding 'real solutions' and outlining a political roadmap towards 'digital sovereignty' indicates a policy advocacy voice rather than neutral reporting.