The Supreme Court issued two seemingly unrelated decisions: one limiting the power of police to track phone records, and the other stripping away the legal protections that shielded regulators’ independence.
Read separately, each ruling represents a notable legal story. Read together, they show an American privacy regime being tugged in two opposite directions that could end up torpedoing transatlantic data transfers.
The first case, Chatrie v. United States, began with a bank robbery. In May 2019, a man held up a credit union in Midlothian, Virginia, and vanished. Detectives had no suspect. They asked a Virginia magistrate for a “geofence warrant” — an order to compel Google to search its records for every phone that had been within 150 meters of the bank around the time of the crime.
Google complied in stages. It anonymized data from 19 phones. Then it narrowed the list to nine phones. Finally, it found names and numbers for three phones. One belonged to Okello Chatrie. His location history placed him near the bank ten minutes before the robbery, then heading toward a residential neighborhood. That evidence proved enough to convict him.
Chatrie argued that the search itself was unconstitutional — not because of what it found, but because of how it found information. To identify a single suspect, police searched everyone’s movements. No warrant named him. No probable cause pointed to him. He was found because he happened to be nearby, one data point alongside 18 other individuals who had nothing to do with the crime.
By a vote of 6-3, the Supreme Court rejected the government’s argument that Chatrie had forfeited his privacy simply by owning a smartphone and letting Google track it. Using a cell phone is not consent.
The Court did not go so far as to ban geofence warrants. It sent the case back to the Fourth Circuit to decide whether this particular warrant met the Fourth Amendment’s demands for probable cause. But it affirmed the underlying principle that police need real justification before going through everyone’s location data.
However, the ruling may have little practical impact. In 2025, Google shifted location history storage from centralized servers onto individual devices, telling courts it could no longer technically comply with bulk geofence requests. Justice Samuel Alito, dissenting, used this development to describe the majority’s opinion as “advisory.” He has a point. Constitutional law had arrived to bless an outcome that the tech giant had already delivered.
The second ruling has nothing to do with location data, bank robberies, or Google. It concerns something more abstract: who gets to fire the people who watch the watchers?
Trump v. Slaughter arose from President Donald Trump’s March 2025 decision to remove two Democratic commissioners from the Federal Trade Commission (FTC) without citing any legal cause — despite a 1934 statute stating that FTC Commissioners may be dismissed only for “inefficiency, neglect of duty, or malfeasance in office.” Fired Commissioner Rebecca Slaughter sued, citing a precedent that had long shielded commissioners of independent agencies from being fired for holding the wrong politics.
The Supreme Court, in the same 6-3 alignment, sided with the president. Chief Justice John Roberts, writing for the majority, held that the FTC “unquestionably exercises executive power” and must answer to the president. Commissioners at dozens of other independent bodies, from the Federal Communications Commission to the Securities and Exchange Commission and the Consumer Product Safety Commission, previously insulated from politics, can now be dismissed for policy disagreement.
Although this is a separation-of-powers case, not a privacy case, a connection exists. It runs through the EU-US Data Privacy Framework, which allows companies to legally move Europeans’ personal data onto American servers. That $9.8 trillion of transatlantic trade survives only because Brussels has certified that American oversight of government surveillance is “adequate” — meaning independent enough, in practice, to check abuse. Twice before, under different names, Europe’s courts have torn-up agreements after finding that certification wanting.
The current framework depends on assurance that US oversight bodies operate with genuine independence from whoever occupies the White House. Trump v. Slaughter eliminates that presumption. Within days, the European Data Protection Board announced it would “carefully assess” the ruling’s implications for the framework’s oversight mechanisms.
This is the complication that makes the two rulings inseparable. Chatrie narrows what the government can compel technology companies to hand over about ordinary people. It is a privacy victory. Slaughter, on the other hand, weakens the independence of the very bodies meant to police how the government behaves with whatever data it still obtains.
European anxiety about the Data Privacy Framework centers on US authorities accessing personal data. Chatrie cuts against that fear, making it more difficult for governments to gain access to such data. If Slaughter counts as evidence against US oversight, intellectual consistency demands that Chatrie count as evidence for it.
American privacy protection is not a coherent regime, built deliberately and defended as a whole. It is an accumulation of separate legal skirmishes — a Fourth Amendment case here, a removal-power case there, a corporate liability calculation somewhere else — that happen to intersect, sometimes reinforcing each other and sometimes not.
Europe built its privacy framework by statute, in advance, applied uniformly. The US is discovering its framework retroactively, case by case, sometimes strengthening it and sometimes gutting its foundations — often on the very same day, by the very same Court.
Foreign regulators noticed the connection within forty-eight hours. It would be a mistake for Americans to miss it.
Elly Rostoum is a Senior Resident Fellow with the Center for European Policy Analysis (CEPA).
Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.
Tech 2030
A Roadmap for Europe-US Tech Cooperation