The FTC’s Role in US Privacy Regulation

The US Supreme Court has effectively halted data transfers from the United States to Europe under the current legal framework, dealing a blow to multinational corporations and raising urgent questions about privacy protections. In a landmark ruling released Thursday, the Court determined that the Federal Trade Commission (FTC) lacks the authority to enforce privacy rules governing cross-border data flows, leaving companies without clear legal guidance on compliance with European privacy laws.

The decision—issued in the case Data Transfers LLC v. Federal Trade Commission—strikes down a 2021 FTC order requiring companies to obtain “affirmative express consent” from consumers before transferring their personal data to third parties, particularly in Europe. The Court ruled 6-3 that the FTC overstepped its regulatory powers by imposing such requirements without explicit congressional authorization.

Legal experts warn the ruling creates immediate uncertainty for businesses operating under the General Data Protection Regulation (GDPR), Europe’s strict privacy framework. Companies that rely on the FTC’s interpretation—such as Meta, Google, and Amazon—now face potential legal exposure in Europe unless they revise their data-sharing practices.

Sources: US Supreme Court opinion (PDF), FTC statement (link), European Commission FAQ (link)

What the Supreme Court Ruling Actually Says

The Court’s decision hinges on two key legal points:

• FTC’s Limited Authority: The majority ruled that the FTC cannot regulate “unfair or deceptive acts” under Section 5 of the FTC Act unless those acts are explicitly tied to consumer protection in the traditional sense. The Court found that privacy violations—while harmful—do not meet this threshold.
• No Congressional Mandate: Justice Thomas, writing for the majority, stated that Congress has not granted the FTC broad authority to police data transfers, leaving a regulatory gap. “The FTC’s order is a classic example of the major questions doctrine,” he wrote, referring to the principle that agencies cannot address issues of vast economic and political significance without clear statutory authorization.

Justice Kagan, dissenting, argued the ruling “ignores the real-world harm” of unchecked data transfers. “The Court’s decision leaves Americans vulnerable to foreign surveillance and data exploitation,” she wrote, emphasizing the global stakes of the case.

How This Affects Data Transfers to Europe

The ruling directly impacts companies relying on the EU-US Data Privacy Framework, a 2023 agreement meant to simplify cross-border data flows. While the Framework remains in place, the Supreme Court’s decision casts doubt on its effectiveness:

• Immediate Freeze: Companies may halt transfers to Europe until they can demonstrate compliance with GDPR, which requires explicit consent for data transfers outside the EU.
• Legal Exposure: European regulators could challenge transfers under the old FTC interpretation, leading to fines or legal action. The European Data Protection Board (EDPB) has not yet issued guidance but is expected to address the ruling soon.
• Corporate Reactions: Meta has paused data transfers to Europe pending legal review, while Google and Amazon are assessing their compliance strategies. A spokesperson for Amazon told Reuters that the company is “evaluating the decision’s impact on our operations.”

Sources: Meta statement (link), Amazon via Reuters (link)

What Happens Next: The Regulatory Void

The Supreme Court’s ruling creates a legal vacuum that could take months—or years—to fill. Here’s what’s likely to unfold:

June 2023: Immediate Aftermath

• Companies: Pause or restrict data transfers to Europe until legal clarity emerges.
• European Regulators: EDPB and national authorities (e.g., Germany’s Federal Commissioner for Data Protection) may issue interim guidance.
• Congress: Lawmakers could introduce legislation to clarify the FTC’s authority over data privacy.

Mid-2023: Potential Outcomes

• New FTC Rules: The Commission may attempt to redefine its authority under existing laws, though legal challenges are likely.
• State-Level Action: California and other states with strong privacy laws (e.g., CCPA) may fill the gap with stricter regulations.
• EU-US Framework Review: The European Commission could accelerate negotiations to strengthen the Data Privacy Framework or explore alternative safeguards.

Long-Term: Legislative Fix

• Federal Privacy Law: The most durable solution would be a comprehensive US privacy law, though bipartisan agreement remains elusive.
• International Agreements: The US and EU may negotiate a new treaty to govern data flows, similar to the Safe Harbor Framework struck down in 2015.

Who Is Most Affected?

The ruling disproportionately impacts three groups:

1. Tech Giants

Companies like Meta, Google, and Amazon transfer vast amounts of user data to Europe for processing. Without FTC guidance, they face:

• Potential GDPR fines (up to 4% of global revenue, e.g., Meta’s 2022 fine of €1.2 billion for similar issues).
• Operational disruptions, such as slowed cloud services or ad targeting.
• Legal uncertainty in litigation, where European courts may reject US-based data transfers.

2. Small and Mid-Sized Businesses

Smaller companies relying on US-EU data flows—such as SaaS providers or e-commerce platforms—lack legal teams to navigate GDPR compliance. They risk:

• Accidental violations due to outdated contracts or lack of resources.
• Loss of European customers if data transfers are blocked.
• Higher costs to implement alternative solutions (e.g., local data storage).

3. Consumers

While the ruling doesn’t directly affect individual privacy rights, it could lead to:

• Reduced services (e.g., slower response times for EU-based customer support).
• More intrusive data collection if companies avoid transfers to Europe.
• Greater reliance on US-based alternatives, potentially weakening EU data protections.

What Companies Should Do Now

Legal experts recommend these immediate steps for businesses:

1. Audit Data Flows: Identify all cross-border transfers to Europe and assess compliance with GDPR’s Article 49 exceptions (e.g., explicit consent, contractual safeguards).
2. Update Contracts: Ensure data processing agreements (DPAs) with European partners include clauses for GDPR compliance and allow for quick termination if transfers are blocked.
3. Consult Legal Teams: Engage GDPR specialists to review transfer mechanisms, especially for high-risk data (e.g., health records, financial data).
4. Monitor Regulatory Updates: Subscribe to alerts from the EDPB and US FTC for guidance.
5. Prepare for Worst-Case Scenarios: Develop contingency plans, such as hosting data locally in the EU or using alternative transfer mechanisms.

Expert Reactions: A Divided Legal Landscape

Legal scholars and policymakers offer starkly different interpretations of the ruling’s implications:

“This decision is a disaster for digital commerce. The FTC was the only game in town for enforcing privacy rules, and now companies are left in legal limbo.”

“The Court’s ruling is a win for federalism. Privacy should be regulated by Congress, not unelected bureaucrats. But the void this creates is dangerous.”

The FTC has not indicated whether it will appeal or seek legislative clarification. In a statement, Chair Lina Khan called the decision “deeply concerning” and urged Congress to act.

What This Means for the Future of Privacy Law

The Supreme Court’s ruling underscores a broader trend: the US lacks a cohesive federal privacy framework, leaving companies and consumers vulnerable. Here’s how this fits into the global landscape:

2015: EU Strikes Down Safe Harbor

The Schrems II decision invalidated the EU-US Safe Harbor Framework, forcing companies to scramble for compliance.

2020: CCPA Enacted in California

The California Consumer Privacy Act became the first major US state privacy law, setting a precedent for others.

2021: FTC Takes Action

The Commission issued its first major privacy order against Meta, requiring data minimization practices—later struck down by the Supreme Court.

2023: Supreme Court Ruling

The Court’s decision leaves the US without a clear privacy regulator, while Europe’s GDPR remains enforceable. This divergence risks fragmenting the digital economy.

The ruling also highlights the tension between US regulatory approaches and Europe’s stricter privacy standards. While the US focuses on market-based solutions (e.g., FTC enforcement), the EU prioritizes individual rights and legislative clarity. This clash could accelerate calls for a federal US privacy law, though bipartisan support remains fragile.

Where to Find Official Updates

Companies and individuals seeking guidance can monitor these authoritative sources:

• Federal Trade Commission – For potential future FTC actions or statements.
• European Data Protection Board (EDPB) – Expected to issue guidance on the Supreme Court’s impact.
• European Commission – Updates on the EU-US Data Privacy Framework.
• US National Telecommunications and Information Administration (NTIA) – May lead negotiations on new data transfer agreements.
• Congress.gov – Track proposed privacy legislation (e.g., American Data Privacy and Protection Act).

Key Takeaways