EU-US data privacy framework

The EU and US are tightly connected, with many companies from the US operating in the EU and vice versa. Therefore, the two economic regions had to create a shared data privacy framework and set boundaries protecting both sides.

One of the first such frameworks was Safe Harbor – a set of principles developed between 1998 and 2000 for companies in the US and the EU to safely process private data and avoid possible leaks or data losses.

However, in 2015, the Court of Justice of the European Union (CJEU) decided that US companies couldn’t provide an adequate level of security for the personal data of EU citizens. As a result of the CJEU ruling, Safe Harbor was killed off.

Read more about Safe Harbor and the Schrems I ruling.

Safe Harbor was replaced by the Privacy Shield – a new framework created in 2016. It was intended to address the concerns of the CJEU and provide a more robust framework for transatlantic data transfers.

The Privacy Shield put the responsibility on companies. The US businesses had to undergo a self-certification process and agree to the EU data protection standards.

However, the Privacy Shield only existed for a short time. In 2020, the European Court of Justice issued a ruling in case C-311/18, also known as the Schrems II ruling. The case started when activist Maximilian Schrems asked the Irish Data Protection Commissioner to cancel the SCC that Facebook used to move personal data to its headquarters in the US. Schrems believed that US intelligence agencies could access the personal data while it was being sent to or stored in the US. Schrems argued this violated GDPR and other EU regulations.

The CJEU ruled that the Privacy Shield also failed to provide enough protection for personal information under the GDPR because the US government could watch over the data belonging to EU residents. In the end, the Privacy Shield was invalidated.

On July 10, 2023, the European Commission announced a new EU-US agreement called the Data Privacy Framework (DPF). This agreement was supposed to be an improved version of the Privacy Shield, designed to fix problems highlighted in the Schrems II case.
Before implementing the DPF, the European Data Protection Board (EDPB) and the European Parliament (EP) raised some concerns about whether it safeguarded privacy enough.

These worries are shared by activists, like Max Schrems, whose team is already preparing legal action related to the DPF.

You may also like:

Data privacy laws in the United States and how they affect your business

11 new privacy laws around the world and how they’ll affect your analytics

Data privacy breach

AI and privacy


  • Duga Digital - success story - blog

    How Oxford Online Pharmacy increased data volume by 15% with Duga Digital and server-side Piwik PRO Analytics

    Duga Digital’s success story appears as part of our Partner Spotlight series. Oxford Online Pharmacy (OOP) is a family business going back three generations to 1925. Employing experienced pharmacists and healthcare professionals, OOP is committed to translating the values and heritage of the Oxfordshire-based bricks and mortar chemists, online.

    Read more

  • What is PII, non-PII, and personal data? [UPDATED]

    Personally identifiable information (PII) and personal data are two classifications of data that often confuse organizations that collect, store and analyze such data. Both terms cover common ground, classifying information that could reveal an individual’s identity directly or indirectly. PII is used in the US, but no specific legal document defines it. The legal system…

    Read more