The third collapse
Simon
Safe Harbor lasted fifteen years before the CJEU struck it down. Privacy Shield lasted four. On 29 June 2026, the US Supreme Court removed the enforcement mechanism behind the third attempt. The Data Privacy Framework lasted three.
What happened
The Supreme Court ruled 6-3 in Trump v. Slaughter that the President can fire FTC commissioners at will. It overturns Humphrey's Executor, a 90-year-old precedent that kept the FTC independent from the White House.
That sounds like a domestic American story. It isn't.
The EU-US Data Privacy Framework is the legal agreement that lets European companies send personal data to GitHub, GitLab.com, Bitbucket, and every major US cloud provider. The adequacy decision behind it references FTC independence 259 times. The entire enforcement side of the deal depends on that independence.
Article 8(3) of the Charter of Fundamental Rights requires that data protection compliance "shall be subject to control by an independent authority." Not effective. Independent. That word is constitutional, not negotiable.
As of 29 June, the FTC answers to the President. Chief Justice Roberts called its previous removal protections "just a dried husk."
It isn't only the FTC
The PCLOB, cited 31 times in the adequacy decision, is supposed to review surveillance compliance annually. It lost its quorum in January 2025 when three members were fired. Hasn't functioned since.
The Data Protection Review Court exists through the same executive order. Executive orders can be revoked at any time.
FISA Section 702 lapsed on June 12. The surveillance authority behind both Schrems I and Schrems II, gone.
Max Schrems, whose challenges brought down the two previous agreements, has through noyb asked the European Commission to withdraw the adequacy decision. Schrems: "The Commission built a legal house of cards under industry pressure." noyb plans to file at the CJEU. Previous cases took two to three years.
What it means
Nobody's data is illegal overnight. The adequacy decision is still formally in force and the Commission hasn't responded.
But the compliance question stopped being theoretical on 29 June. The fallback mechanisms, Standard Contractual Clauses and Binding Corporate Rules, require transfer impact assessments against the same US legal framework. When that framework is what broke, the assessments get harder to sign.
Where Codebahn sits
I picked Scaleway and Hetzner because they're EU companies. Applied that test to every vendor in the stack. Your repos, your pipelines, your secrets stay in the EU. No transatlantic transfer, no adequacy decision needed.
EU-to-EU transfers under GDPR don't require any of these mechanisms. That's why I built it this way.
Three collapses in eleven years is a pattern, not bad luck. The question for European teams used to be "is this compliant?" Now it's "for how long?"
I'd rather not depend on the answer.