Summary
The U.S. Supreme Court has ruled that the president may remove Federal Trade Commission commissioners. That may sound like American administrative law. But the FTC is one of the institutions the EU relied on when it decided that the United States offered adequate protection for European data transfers.
When that oversight becomes more politically conditional, a constitutional question in Washington turns into an operational, compliance and supplier-risk question in Europe.
This is not a call to cut ties with American technology. It is a case for building European alternatives people can actually move to.
This is easy for me to say.
I am building a European cloud provider. I have an obvious commercial interest in European businesses taking European digital infrastructure more seriously. And, with full self-awareness: I am not sure I would enter the United States without an extra round in secondary inspection, given some of the things I have written publicly.
That is exactly why this has to be said carefully.
This is not about being anti-American. It is about risk management.
The U.S. Supreme Court has ruled in Trump v. Slaughter that the president may remove Federal Trade Commission commissioners. Reuters described it as a 6–3 decision expanding presidential power over independent regulatory agencies, including the FTC, and overturning the Humphrey’s Executor precedent that had stood since 1935.1
To most people, this sounds like American administrative law. Interesting for lawyers, far from the daily reality of a European business.
It is not.
The Federal Trade Commission is one of the U.S. institutions the European Union relied on when it assessed whether the United States provides an adequate level of protection for European data transfers. NOYB points out that the European Commission’s EU–US Data Privacy Framework decision relies on the independent FTC 259 times, and that the framework rests on assumptions about independent U.S. oversight.2
When that independence becomes more politically conditional, this stops being only an American constitutional question. It becomes a European operational, compliance and supplier-risk question.
We have been here before
Europe has already lived through two transatlantic data-transfer frameworks that collapsed.
Safe Harbor fell. Privacy Shield fell. In 2023, the EU–US Data Privacy Framework became the third attempt at a stable legal basis for moving personal data from the EU/EEA to certified U.S. companies. The European Commission adopted the adequacy decision on 10 July 2023, allowing transfers to participating U.S. organisations without additional authorisation under EU law.3
None of this becomes unlawful tomorrow.
The Data Privacy Framework is still formally in force. Its legal status would have to be changed by the European Commission or annulled by the Court of Justice of the European Union. No one should panic-migrate because of a press release, a legal commentary or a LinkedIn post.
But the risk picture has changed.
And that is the point.
If the digital everyday life of European businesses depends on how independent an American regulator is allowed to remain after the next round in Washington, we already have our strategic answer.
We do not only have a legal problem.
We have a dependency problem.
Compliance is not the same as control
This may be one of the most important misunderstandings in European technology.
We have treated digital sovereignty as a compliance exercise. Do we have a data processing agreement? Do we have SCCs? A Transfer Impact Assessment? Does the supplier hold a certificate? Has someone written an assessment that looks solid in an audit archive?
All of that has value.
None of it is the same as control.
Control is about where data is processed. Who has jurisdictional reach. Which subprocessors are involved. How easy it is to leave. Which formats are used. How much of the organisation can keep running if a legal basis weakens, a service changes its terms, a regulator intervenes, or a political conflict moves into the infrastructure layer.
That is where European businesses need to think more maturely.
Not: “Can we find another rule that saves us this time?”
But: why does so much of our digital infrastructure keep needing to be saved?
This is not a call for digital isolation
I do not believe Europe should build a technological wall.
That would be both foolish and unrealistic. American technology has been, and remains, enormously important. Many of the world’s best products, tools and developer ecosystems come from the United States. I use American services myself where they make sense, and most European businesses will keep doing the same.
There is a large difference between interoperability and structural dependency.
It is one thing to use a U.S. service when that use is necessary, deliberate and documented. It is something else entirely when email, documents, calendars, files, customer data, identity, backup, analytics, support and internal communication all land, by default, in the same jurisdictional risk bucket.
The FTC describes the Data Privacy Framework as a voluntary framework that replaced Privacy Shield and provides a mechanism for companies to transfer personal data from the EU to the United States in a privacy-protective way consistent with EU law.4
That mechanism still exists.
But if one of the enforcement assumptions behind it grows weaker, European businesses should not pretend nothing has changed.
So the practical question is not whether Europe should sever all ties with the United States.
The question is where we actually need the United States — and where we have simply grown used to outsourcing control.
European cloud must become better, not just more European
As the founder of a European cloud provider, I obviously believe Europe needs more European alternatives.
But let us be honest: an EU flag on an inferior service is not enough.
European cloud, SaaS and collaboration technology has to become good enough that people want to move. Not because the lawyer tells them to. Not because a regulator warns them. Not because a PDF says “sovereign”.
It has to be practical.
Email must work. Calendars must work. Files must sync. Video meetings must be simple. Backup must be understandable. Import and export must be real. Open formats must be more than marketing. Vendor lock-in must be reduced in practice, not merely replaced by a new supplier with a European postal address.
This is a criticism of those of us building the alternatives, too.
We cannot ask European businesses to trade productivity for principles. We have to build services that make the better choice the easier one.
Digital sovereignty only becomes relevant when it can be bought, used, migrated to and operated without the organisation grinding to a halt.
What should happen before the summer holiday
This is a good moment for European leaders, IT teams and boards to run a simple exercise.
No panic. No “move everything now”. No grand strategy document that nobody reads.
Just an honest overview:
- Which U.S. suppliers process personal data for us?
- Which services are critical to daily operations?
- Which data leaves the EU/EEA?
- Which processors rely on American subprocessors?
- Where do email, files, calendars, identity, backup, analytics and support data actually sit?
- Do we have a realistic exit plan?
- Can we export our data in open formats?
- How long would a move take if the risk picture shifts further?
That is not drama. That is ordinary business governance.
For public-sector organisations, healthcare, education, finance, law firms, critical infrastructure, technology companies and anyone handling sensitive data, it should be more natural still.
Not because everything American is wrong.
Because uncritical dependency is poor risk management.
Washington is not building European technological independence
No one in Washington is trying to build European technological independence.
That is not their job.
But American domestic conflicts keep handing us new reminders of why Europe has to do the work itself.
Every time a legal framework weakens, we may be able to find a new formulation. A new transitional mechanism. A new assessment. A new plaster. That may be necessary. Large organisations cannot switch off their systems because the geopolitical temperature changes.
At some point, though, we have to stop confusing temporary legal stabilisation with strategic control.
Closing
The Data Privacy Framework is still in force. But its foundation looks less certain than it did a few days ago.
For me, the lesson is simple.
Europe does not only need more rules to rescue old dependencies.
Europe needs functioning alternatives people can actually move to.
Portability, European SaaS, European cloud and open standards are no longer idealistic niche topics.
They are adult risk management.
Sources
- European Commission — Adequacy decision for safe EU-US data flows
- Federal Trade Commission — Data Privacy Framework business guidance
- Data Privacy Framework Program — Program overview