The decision on the independence of the Federal Trade Commission does not directly concern the GDPR, but it may weaken one of the political and legal assumptions underpinning the EU-US Data Privacy Framework – By Andrea Monti – Initially published in Italian on La Repubblica-Italian Tech
The ruling against the FTC
The President must be able to exercise absolute control over every component of the administration. Therefore, laws establishing the independence of agencies such as the Federal Trade Commission — which deals, among other things, with the processing of personal data — are unconstitutional.
This, in substance, is the legal principle established by the judgment issued on 29 June 2026 by the Supreme Court of the United States. As a collateral effect, it potentially places outside the law transfers of data to the United States based on the Data Privacy Framework (DPF), concluded with the EU Commission under the General Data Protection Regulation (GDPR).
There is no automatic link between the US decision and the annulment of the DPF, because, as long as the parties continue to apply it and the European Court is not seised of the matter, the agreement, despite all its limitations, remains operational. The problem, however, exists and should be addressed before institutions and companies are placed in enormous difficulty.
The weak point of the Data Privacy Framework
The European regulation on the protection of personal data provides that the data of citizens of Member States may be transferred abroad only if the country of destination offers a level of legal protection at least equivalent to that existing in the EU.
The US legal system does not guarantee this condition. Therefore, in order to prevent the unthinkable from happening — namely, the technological and industrial isolation of the Member States resulting from a prohibition on sending data to the United States — over the years the European Commission has concluded agreements with the American government that were supposed to solve the problem on a stable basis.
In reality, this has never been the case, because all the agreements concluded by the Commission have gradually been annulled by the Court of Justice of the EU in the well-known “Schrems proceedings”. Now even the latest agreement still in force could suffer the same fate if the case were brought before the European judges, also as a consequence of the American ruling.
The political limit of the Brussels Effect
Beyond the legal issues raised by individual cases, the reasons why, ten years after the adoption of the European regulation on data protection, we are still discussing these matters lie essentially in the ideological nature of the way in which the GDPR was conceived, written and applied, and in the Hegelian pretence that it is the theoretical rationality of a rule that changes reality, rather than the other way round.
The GDPR is an old regulation, conceived with a mindset still looking back to the early 2000s, and applied not, as the text of the provision itself clearly states, in order to facilitate the intra-European circulation of data, but to obstruct it. Moreover, it has progressively been applied not to harmonise the legal systems of the Member States, but as a geopolitical instrument of the EU against the United States and, more generally, as a lever to trigger the Brussels Effect: the strategy based on the unilateral adoption of rules intended to influence global markets.
This is not the place to discuss whether the EU treaties do or do not allow the European institutions to play this role. What is certain, however, is that the Brussels Effect works only if the rules are well written; and this is certainly not the case with the GDPR and the acts deriving from it, as the issue of data exports to the United States precisely demonstrates.
State autonomy in defence and security
The EU’s claim — and the matter in dispute over recent years — is to scrutinise the way in which the United States allows its security and intelligence structures to obtain data concerning citizens of EU Member States.
We may rightly be concerned that a law such as the CLOUD Act requires US companies to hand over to the authorities data held anywhere in the world, including by branches and subsidiaries, and that Section 702 of FISA allows the technological surveillance of any foreigner outside the United States.
However, other countries should then be equally concerned that, under Law 137/2023, Italian judicial police officers are not punishable when, during investigations, they “access an information or telematic system, damage, deteriorate, delete, alter or otherwise intervene in an information or telematic system or in information, data and programs contained therein, activate identities, including digital identities, domains and information spaces however named, including through the processing of personal data of third parties, or assume control of or otherwise make use of another person’s domain and information space however named, or carry out preparatory or instrumental activities”.
Why the EU is not the solution
Although legitimate, these concerns have nothing to do with the GDPR for three reasons.
The first is that the founding treaties of the EU reserve defence and security to the individual Member States and, therefore, no European rule may be enacted or interpreted in such a way as to deal with these matters.
The second is that, save for the use of force, no country may impose limits on another as to how it manages its own national interests.
The third is that, subject to treaties concluded on the basis of reciprocity mechanisms, States guarantee rights only to their own citizens.
This is the reason, for instance, that explains the apparently paradoxical questions contained in the green questionnaire once handed out before landing in the United States, now replaced by ESTA.
To these reasons another should be added, perhaps the most important of all: as Lucio Caracciolo has correctly pointed out, Europe is not a political subject endowed with sovereignty superior to that of the Member States.
The issue of independent authorities
If the principle affirmed by the Court, according to which government agencies are not and cannot be independent, were to be generalised, another potentially disruptive effect would be its application also to independent authorities created by European rules, such as the authority for the protection of personal data — in other words, the “privacy authority”.
In the Italian Constitution, indeed, the only independent authority is the judiciary: that is, the magistracy, which is a power of the State subject only to the law and whose members, the magistrates, are selected by public competition, not by co-option.
By contrast, “independent authorities” are established by ordinary legislation, and their members are chosen on a political basis, not necessarily — although the law also provides for this — on the basis of scientific output or professional experience specifically acquired in the field of personal data protection.
Nor could it be argued that Europe has “de facto constitutionalised” independent authorities, because this would mean establishing that the EU has the power to affect the exercise of the sovereignty of a Member State, something prohibited by the treaties.
On the other hand, at least as regards personal data, the EU Charter of Fundamental Rights speaks of an “authority” not as a new subject, but only to indicate the characteristic that such a body must possess in order to protect a fundamental right.
However, in every democratic State, rights are protected by the judiciary, which is an authority and which is independent by virtue of the Constitution. Therefore, strictly speaking, the “other” authorities cannot protect rights and are not as independent as the judiciary.
What might happen now?
As stated at the outset, in the short term nothing should change.
Although NGOs working in defence of civil rights have already asked the European Commission to annul the agreement with the United States, it is highly unlikely that this will happen spontaneously.
It will therefore be necessary to await the outcome of any appeals to the Court of Justice of the EU against the DPF; as of today, however, no such appeals have yet been lodged.
In the meantime, the entire US-EU industrial ecosystem remains exposed to the uncertainty arising from the choice to procrastinate and bury one’s head in the sand, applying the immortal rule theorised by Eduardo: adda passà ’a nuttata — the night must pass.
