If your website uses Google Analytics, Cloudflare, Stripe, or any US-based service, you're transferring personal data across borders. The Schrems II ruling invalidated the EU-US Privacy Shield, and the new EU-US Data Privacy Framework (DPF) has specific requirements. Here's what you need to know.
Current Legal Landscape (2026)
| Transfer Mechanism | Status | When to Use |
|---|---|---|
| EU-US Data Privacy Framework | Active (since July 2023) | For US companies certified under the DPF |
| Standard Contractual Clauses (SCCs) | Active (2021 version) | For any non-adequate country (universal fallback) |
| Binding Corporate Rules | Active | For intra-group transfers in multinationals |
| Adequacy decisions | Active for specific countries | Transfers to countries deemed adequate by EU Commission |
| Derogations (Article 49) | Limited use | Occasional, non-repetitive transfers with explicit consent |
EU-US Data Privacy Framework
The DPF allows transfers to US companies that have self-certified with the US Department of Commerce. Key points:
- Check certification: Verify your US vendor is DPF-certified at dataprivacyframework.gov
- Not permanent: The DPF may face a "Schrems III" challenge. Max Schrems' NOYB organization has already signaled concerns
- Limited scope: Only covers companies that actively certify — many smaller US vendors may not be certified
Standard Contractual Clauses (SCCs)
SCCs are the most widely used transfer mechanism. The 2021 version introduced a modular approach:
| Module | Scenario | Example |
|---|---|---|
| Module 1 | Controller to Controller | Sharing customer data with a US partner |
| Module 2 | Controller to Processor | Using AWS, Google Cloud, or Cloudflare |
| Module 3 | Processor to Processor | Your processor uses a sub-processor outside EU |
| Module 4 | Processor to Controller | Rare — data returns to a non-EU controller |
Transfer Impact Assessment (TIA)
Since Schrems II, you must conduct a Transfer Impact Assessment before relying on SCCs. This evaluates whether the recipient country's laws provide "essentially equivalent" protection to EU law. For US transfers with DPF certification, this is simplified.
Adequate Countries
The EU Commission has recognized the following countries as providing adequate data protection. No additional transfer mechanism is needed:
- Andorra, Argentina, Canada (commercial), Faroe Islands, Guernsey
- Israel, Isle of Man, Japan, Jersey, New Zealand
- Republic of Korea, Switzerland, United Kingdom, Uruguay
- United States (only for DPF-certified organizations)
Practical Steps for Website Owners
- Map your data flows: Identify all services that receive personal data from your website. PrivacyChecker automatically discovers third-party services on your site
- Check vendor locations: Determine where each vendor stores and processes data
- Verify transfer mechanisms: For each non-EU vendor, confirm they have DPF certification or that you have SCCs in place
- Conduct TIAs: Document your assessment of each transfer's risk
- Update privacy policy: Disclose the specific transfer mechanisms you rely on (see our privacy policy guide)
- Consider EU alternatives: Where possible, use EU-based services to avoid transfer complexity entirely
Risk of Non-Compliance
Fines for illegal data transfers are among the highest under GDPR. Meta was fined €1.2 billion in 2023 for transferring EU user data to the US without adequate safeguards. While website owners face proportionally smaller fines, the legal risk is real — especially as privacy activists file systematic complaints.
Scan your website for free to discover all third-party services and their data locations, then assess your transfer compliance.