Launch wallet passes from your own platform.Discover Passcreator Embedded!

Schrems III Is Becoming More Likely: Why Your U.S. Tools Could Pose a Data Protection Risk

Schrems III Is Becoming More Likely: Why Your U.S. Tools Could Pose a Data Protection Risk

Two out of two EU-U.S. data protection agreements have been struck down by the European Court of Justice. Now, the U.S. Supreme Court has overturned the independence of the key U.S. data protection regulator, and noyb is preparing its next lawsuit. A renewed fundamental review of the EU-US Data Privacy Framework before the CJEU has become significantly more likely. When it will take place and what the outcome will be remains to be seen.

On June 29, 2026, the U.S. Supreme Court ruled in the case of Trump v. Slaughter that the U.S. President may dismiss members of the Federal Trade Commission at any time and without cause. Two days later, noyb—the organization led by Max Schrems—called on the European Commission to withdraw the EU-U.S. Data Privacy Framework.

The Data Privacy Framework is still in effect. Data transfers to the U.S. haven’t become illegal overnight. But they weren’t illegal before Schrems I either. Nor were they before Schrems II. Both times, the message was: “Everything’s fine; the agreement is still in place.” Until it fell apart. So you should act now.

This article explains what happened, why it affects your customer data, and what you should do as soon as possible.

Note: This article is for informational purposes only and does not constitute legal advice. You should seek legal counsel for a legal assessment of your specific situation.

What happened on June 29, 2026?

The U.S. Supreme Court ruled 6–3 that the protection that has shielded FTC commissioners from unfounded dismissal by the president since 1935 is unconstitutional.

In simple terms:

  • The FTC is led by several commissioners
  • They were legally protected from being fired without just cause
  • The Supreme Court has struck down this protection—after 91 years
  • The U.S. President can now replace FTC members at any time and without justification

Chief Justice Roberts wrote: “The FTC unquestionably exercises executive power, and must therefore be controlled by the Chief Executive.”

Justice Sotomayor warned in her dissent: “Today, the Court discards [this] democratic regime in favor of one that distorts the structure of government.”

For European companies, this means that the FTC’s legal protection against political influence has been significantly weakened. The implications this has for the legal assessment of the Data Privacy Framework are controversial and are likely to occupy European courts in the future.

Why the EU-U.S. Data Privacy Framework Is Now in Jeopardy

The FTC: The Cornerstone of the DPF

The EU-U.S. Data Privacy Framework (DPF) is the third attempt to establish a legal basis for EU-U.S. data transfers. Over 3,400 U.S. companies are certified—including the major cloud and SaaS providers on which nearly every European company relies.

The FTC is the agency that oversees and enforces this system. Noyb has counted: In its adequacy decision, the European Commission refers to the FTC and its independence 259 times. This independence will no longer be legally guaranteed as of June 29, 2026.

Noyb’s response was unequivocal: “The Supreme Court’s decision cements the case for tearing up the DPF.”

The PCLOB: The Second Point of Failure

The FTC is not the only problem. In Schrems II, the European Court of Justice made it clear that the core problem is mass surveillance by U.S. intelligence agencies. The Privacy and Civil Liberties Oversight Board (PCLOB)—a body that oversees intelligence agencies’ access to data—was intended to protect against this.

Trump also dismissed its Democratic members. An appeals court had stayed the dismissals pending the Trump v. Slaughter ruling. It is now likely that the new principles will also be applied to the PCLOB.

This is likely to undermine both oversight pillars of the DPF simultaneously. Counterargument: Is the FTC really the sticking point?

This assessment is legally controversial. Prof. Alexander Golland argues on beck-aktuell (July 6, 2026) that the FTC’s independence, in and of itself, does not constitute a major breach. The ECJ did not overturn the Privacy Shield because of a lack of FTC enforcement, but because of the powers of U.S. intelligence agencies. The real danger lies with the PCLOB, and that is precisely where the next legal battle is looming.

The Schrems Pattern: The Same Script, Three Times Over

AgreementWhat HappenedYear
Schrems ISafe HarborECJ declares it invalid2015
Schrems IIPrivacy ShieldECJ declares it invalid2020
Schrems IIIData Privacy FrameworkNoyb is preparing a lawsuit2026

It’s always the same story:

  1. 1. The EU Commission concludes a data transfer agreement with the U.S.
  2. 2. Schrems / noyb files a lawsuit
  3. 3. The European Court of Justice overturns the agreement because U.S. surveillance violates European fundamental rights
  4. 4. New negotiations. New agreement. Back to step 2.

This pattern has played out twice. Twice, the agreement has failed.
And this time, the situation has worsened, not improved.

What Has Deteriorated Since the DPF Was Adopted

DateSituation
July 2023 (DPF adoption)FTC independent, PCLOB fully staffed, Executive Order 14086 in effect
March 2025Trump fires Democratic FTC and PCLOB members
September 2025EU court dismisses Latombe lawsuit—but only based on the situation as of 2023
June 2026Supreme Court overturns FTC’s independence
July 2026Noyb Demands Withdrawal of DPF and Announces Lawsuit

In 2023, the EU Commission adopted an agreement based on the independence of U.S. regulatory agencies. Three years later, this independence was overturned by a Constitutional Court ruling. Key assumptions on which the European Commission’s 2023 assessment was based have since changed. The full legal implications of these changes have not yet been definitively clarified.

Is this already Schrems III?

Not yet, in the sense of a European Court of Justice ruling. But the wheels are in motion:

  • On June 30, 2026, Noyb sent a written requestto the European Commission to withdraw the DPF and announced that it would file a lawsuit
  • The Latombe appeal (C-703/25 P) is pending before the ECJ—the ECJ must address the DPF
  • The European Commission has not yet responded publicly

As of July 14, 2026, according to publicly available information, the noyb lawsuit has not yet been formally filed. But noyb proved in Schrems I and II: When they announce a lawsuit, it happens.

What does the Latombe case have to do with this?

French Member of Parliament Philippe Latombe filed a lawsuit challenging the EU-US Adequacy Decision. The EU General Court dismissed the lawsuit in September 2025 and confirmed the validity of the DPF, though explicitly only based on the factual and legal situation at the time of its adoption in 2023.

The court stated: “If the legal framework in the United States changes, the Commission may decide to suspend, amend, or revoke the decision.”

Latombe filed an appeal on October 31, 2025. The case is pending before the European Court of Justice under case number C-703/25 P.

This is relevant to the Schrems III debate for two reasons:

  1. 1. The CJEU must address the DPF—regardless of whether noyb files its own lawsuit.
  2. 2. If the CJEU affirms the right of individuals to bring legal action, this opens the door to further individual lawsuits—including those by noyb.

Is the Data Privacy Framework still valid?

Yes. For now. The adequacy decision remains in effect until the European Commission amends, suspends, or withdraws it, or an EU court invalidates it.

But “still valid” does not mean “secure.” Safe Harbor was also valid right up until the day the ruling was handed down. The same goes for Privacy Shield. Companies that had relied on them were then faced with a problem they could not solve within 48 hours.

Anyone who hasn’t reviewed their data transfers to the U.S. before a ruling is handed down will no longer have time to do so after the ruling.

Are Google, Microsoft, AWS, and other U.S. services now illegal?

No. You can’t make such a blanket statement. Whether a specific U.S. service can be used in compliance with data protection regulations depends on several factors:

  • Is any personal data being transferred to the U.S. at all? Some services can be configured so that data remains in the EU; however, an EU data center alone does not guarantee that no transfer to a third country will take place—for example, if the provider’s U.S. employees have access to the data.
  • Is the specific provider or U.S. company DPF-certified? Not every product from a U.S. corporation is automatically covered by the DPF.
  • What is the legal basis for the transfer specified in the data processing agreement? DPF certification, Standard Contractual Clauses (SCCs), or both?
  • What types of data are processed? Anonymized analytical data must be evaluated differently from health or employee data.
  • What technical safeguards are in place? Encryption is only effective if the U.S. provider does not have access to the keys.

Each service must be considered individually.

Are Standard Contractual Clauses the solution?

Many companies think, “If the DPF fails, we’ll just use SCCs.” Unfortunately, it’s not that simple.

The European Court of Justice clarified in Schrems II that standard contractual clauses alone are not sufficient if the recipient country does not offer an adequate level of protection. Companies must:

  1. Conduct a Transfer Impact Assessment (TIA)—separately for each provider
  2. Implement additional safeguards—encryption, pseudonymization, access restrictions
  3. Verify whether these measures are actually effective—encryption only protects if the U.S. provider does not have access to the keys

For many common cloud services, point 3 is the problem: The provider must be able to access the data in plain text for the service to function. In these cases, SCCs alone are not sufficient.

SCCs are an emergency brake, not a parachute.

What you need to do NOW:

1. Data inventory (this week)

Make a list. Now. It doesn’t have to be perfect, but it should at least be complete:

QuestionEnter answer
Which U.S. providers do you use?
What personal data do they receive?
Where is the data stored?
Who in the U.S. can access the data?
What is the legal basis for the transfer specified in the contract?

2. Review the legal basis for data transfers (this month)

For each provider on your list:

  • Is the specific U.S. company DPF-certified?
  • Have SCCs also been agreed upon?
  • Is a Transfer Impact Assessment available?
  • Will the TIA still be valid after June 29, 2026?

3. Prioritize Critical Data

Start with what hurts the most:

  • Health data (insurance cards, patient data)
  • Employee data (HR systems from U.S. providers)
  • Customer databases (CRM, newsletters, loyalty programs)
  • Financial data (payments, accounting)

4. Prepare Plan B before you need it

  • Research EU/EEA alternatives for critical systems
  • Test data export and migration (don’t just plan for them)
  • Document contract terms and notice periods
  • Set up particularly sensitive processes regionally now

5. Set up monitoring

SourceWhat to monitor?
noyb.euWill the lawsuit be filed?
ECJ / EUR-LexProgress in Case C-703/25 P (Latombe)
European CommissionResponse to noyb’s letter, DPF review
EDPB / BfDIOpinions, Guidelines
U.S. CourtsApplication of the Logic to PCLOB

Why the Specific Data Architecture Is Crucial

When evaluating cloud services, it is not enough to simply look at the location of the data center. What matters most is which companies are involved in the processing, where personal data is processed, and whether access or transfers from third countries are possible.

If personal data is processed exclusively within the EEA and there is no access from third countries, neither the EU-U.S. Data Privacy Framework nor standard contractual clauses are generally required for this processing. As soon as U.S. companies, third-country subcontractors, or corresponding access options are involved, the specific transfer arrangement must be reviewed separately.

EU Hosting Without a U.S. Parent Company: Why the Data Center Operator Matters

A data center in Frankfurt does not automatically make a cloud service a purely European solution. It is also crucial which company operates the data center and which jurisdiction that company is subject to.

Passcreator uses data centers in Germany that are operated by European companies and do not belong to a U.S. corporate group. The term “European-owned hosting” is sometimes used to describe this: The server location is in Europe, and the operator is also a European company.

For companies, this means that the management and provision of their wallet passes are handled via a European platform hosted in Germany by European data center operators. This significantly reduces direct dependence on the EU-US Data Privacy Framework for the core system.

This provides greater planning certainty and digital sovereignty, particularly for customer cards, membership cards, tickets, and digital credentials used over the long term.

CheckpointPasscreatorU.S. cloud provider
Company headquarters✅ Germany⚠️ USA
Data location✅ Germany⚠️ Depending on the provider, partly in the EU
Data center operators✅ European company, not a U.S. corporation🔴 U.S. company—even if the server is located in the EU
U.S. CLOUD Act✅ No U.S. companies involved in the hosting infrastructure🔴 May be relevant regardless of server location
Schrems III risk✅ Low🔴 High
GDPR legal basis✅ EU processing⚠️ Transfer to a third country

Why this is relevant right now

Wallet Passes contain personal data. Depending on their intended use, this includes:

  • Digital loyalty cards: names, customer numbers, contact information, loyalty points
  • Digital insurance cards: insurance numbers, policy details, and in some cases, health information
  • Membership cards: Personal identification numbers, access levels, organizational affiliation
  • Access permissions: Who is allowed where and when—including location data
  • Event tickets & coupons: purchasing behavior, usage patterns, location data

With a U.S. wallet provider, this data is stored on U.S. infrastructure or can at least be requested by U.S. authorities. Not so with Passcreator. No transfers to third countries, no Cloud Act, virtually no Schrems risk.

Whether it’s membership cards, customer loyalty cards, insurance certificates, access permissions, or loyalty programs: Passcreator’s hosting infrastructure, operated by European companies, remains in place—regardless of whether the EU-U.S. Data Privacy Framework stands or falls.

Check now to see on what basis your most important U.S. tools process data. Or switch directly to a solution where this question doesn't even arise.

Passcreator Try it out—hosting in Germany with European data center operators.

European Providers Instead of Dependence on the U.S.: What’s Possible Now

The Schrems III debate isn’t an isolated data protection issue; it’s part of a much larger question: How dependent do we want to be on U.S. technology?

According to a representative Bitkom survey from April 2026, 93 percent of Germans believe their country is dependent on other countries when it comes to digital technologies. 99 percent think it’s important to become more independent. And one-third have already made a conscious decision to switch to a European provider.

At the same time, the study highlights the dilemma: 55 percent feel that switching to European providers is too much of a hassle.

That’s understandable when it comes to complete CRM systems or office suites. But there are areas where switching to a European solution isn’t a massive undertaking—it can be done in a few hours or days.

Switching to a European wallet-pass provider without a U.S. parent company is one such quick switch.

The switch that doesn’t hurt

  • No migration project: You simply create your Wallet Passes at Passcreator instead of with your previous provider
  • Same devices: The passes appear in Apple Wallet and Google Wallet; your customers won’t notice a difference
  • API integration: Passcreator offers a REST API that can be integrated into existing systems
  • Get started right away: No tedious onboarding process, no approval procedures that drag on for months

With Passcreator, switching to “made in Europe” really is easy.
We promise! Just talk to us.

Between Panic and Waiting It Out

There’s currently no reason for an unplanned, immediate exit from all U.S. services. The DPF is valid, the lawsuit hasn’t been filed, and a ruling by the European Court of Justice is years away.

However, it would be just as negligent to ignore the issue. Noyb’s track record shows that these lawsuits have real consequences. Safe Harbor fell. Privacy Shield fell. Both times, “everything was valid” for years beforehand—until it wasn’t anymore.

The most sensible response is to review the legal basis, prioritize critical data flows, and prepare realistic alternatives.

Conclusion: Three Questions, Three Honest Answers

Has Schrems III already been decided? No. There is no CJEU ruling, and noyb has not yet formally filed a lawsuit. But the lawsuit has been announced, and the Latombe case is already pending before the CJEU.

Is the Data Privacy Framework currently invalid? No. The Adequacy Decision is in force. But its basis—the independence of the U.S. data protection authority—is no longer legally guaranteed as of June 29, 2026.

Has the risk increased? Yes, significantly. Two out of two previous agreements have failed before the CJEU. The starting point for the third is worse than for the previous two.

Companies that process their customer data in U.S. cloud services now need a Plan B. The DPF won’t fall apart tomorrow or next week, but it’s coming—and by then, your company will be too late.

FAQ

What is Schrems III?

Schrems III is the anticipated third major legal challenge before the European Court of Justice regarding the legality of EU-U.S. data transfers. The term follows Schrems I (2015, Safe Harbor overturned) and Schrems II (2020, Privacy Shield overturned). Currently, Schrems III is not a concluded case, but rather a scenario for which companies should prepare.

Has a Schrems III ruling been issued yet?

No (as of July 2026). The U.S. case Trump v. Slaughter is a U.S. constitutional ruling, not an EU data protection ruling. Noyb has announced an action before the CJEU but has not yet formally filed it. At the same time, the Latombe appeal (C-703/25 P) is pending before the CJEU.

Is the EU-US Data Privacy Framework still in effect?

Yes. The Adequacy Decision (EU 2023/1795) remains in effect until the European Commission amends, suspends, or revokes it—or until a competent EU court overturns it. That has not happened yet.

Are data transfers to the U.S. now prohibited?

No. The legality depends on the specific basis for the transfer: DPF certification, Standard Contractual Clauses (SCCs), Binding Corporate Rules (BCRs), or consent. Each transfer must be assessed on a case-by-case basis.

What does this mean for Google Analytics, Microsoft 365, AWS, or HubSpot?

Each service must be considered individually: What data is being transferred and where? Which U.S. company is the contractual partner? What is the legal basis for the transfer? What technical safeguards are in place? The key factor is whether personal data is transferred to the U.S. or whether U.S. employees have access to it.

Are Standard Contractual Clauses (SCCs) a sufficient alternative?

Not automatically. SCCs require a Transfer Impact Assessment (TIA) and, if necessary, additional technical and organizational measures. If the U.S. provider must access the data in plain text for the service to function, protection through encryption is ineffective—and SCCs alone are not sufficient.

What is the difference between EU hosting and European-owned hosting?

EU hosting primarily describes only that data is processed on servers within the EU. The operator can still be a U.S. company. With European-owned hosting, the data centers are located in Europe and are also operated by European companies that are not owned by a U.S. corporation.

As of July 15, 2026. This article will be updated as new developments arise.

This article reflects the assessment of Passcreator and is not a substitute for individual legal advice. For your specific data transfer situation, please contact your data protection officer or a specialized law firm.

Sources: U.S. Supreme Court, Trump v. Slaughter (Case No. 25-332); EUR-Lex, Implementing Decision EU 2023/1795; ECJ, C-703/25 P; noyb.eu; beck-aktuell (Prof. Dr. Alexander Golland, July 6, 2026); IAPP; SCOTUSblog; CNBC.

Digital Identity Is Becoming Mandatory: Here's What Companies Need to Do Now