The Trans-Atlantic Data Privacy Framework (DPF), introduced in July 2023, aimed to resolve longstanding tensions between EU privacy standards and US surveillance laws. It is essentially an EU-US trade agreement concerning user-data. However, given the historical invalidation of its predecessors—Safe Harbour and Privacy Shield—the longevity of the DPF remains uncertain.
Schrems I and Schrems II – a brief history
For as long as I can remember there has been a data transfer agreement in place between the EU-US. The first was called Safe Harbour. However, following the Edward Snowden revelations of mass surveillance by US authorities, a determined Austrian law student named Max Schrems, showed that the Safe Harbour agreement failed at protecting EU citizen’s civil liberties. His efforts resulted in the momentous 2015 decision by the CJEU court, generally now known as “Schrems I“.
To keep EU-US transfers of personal data viable, a replacement agreement was urgently required, and in 2016 the US-EU Privacy Shield came into effect. However, this was also challenged by Max Schrems and similarly shown to be inadequate. It led to another iconic CJEU court decision in 2020, which has similarly become known as “Schrems II“.
And this isn’t just legal thought experiments. It has impacted real businesses. The first test of this was by Austria’s data protection watchdog, upholding a complaint against a health focused site called netdoktor.at, which had been exporting visitors’ data to the US as a result of implementing Google Analytics (see my 2022 post at the time).
Hence, we are now in part III of this saga…
What’s the problem with sending data to the US?
At its core, the Schrems story is about the incompatibility between US surveillance laws and EU data protection regulations. Legal experts generally consider US data protection laws to be relatively strong. However, these protections only apply to US citizens. If you are not a US citizen, then you are referred to as an “alien” and data protections evaporate.
Under FISA Section 702, US intelligence agencies can access data of non-US persons without individualised judicial oversight, conflicting with the EU’s General Data Protection Regulation (GDPR) principles of proportionality and necessity. This legal discord has been central to the invalidation of previous data transfer frameworks. The DPF iteration has improved things, but the consensus in the privacy industry is that it is only a matter of time before Max (now the founder of NOYB) visits the CJEU again.
Is Schrems III likely? And how to be prepared
Initially it felt like the adoption of the DFP had kicked the whole discussion of EU-US data transfers into the very long grass. However, the new Trump Administration has cast its own doubts as to the future of the DPF.
Max Schrems: “This deal was always built on sand… Instead of stable legal limitations, the EU agreed to executive promises that can be overturned in seconds. Now that the first Trump waves hit this deal, it quickly throws many EU businesses into a legal limbo.” —NOYB (Jan 2025).
Note, the current DPF is still in place and businesses can rely on it to transfer data to the US as long as it is not formally annulled. However, if data collection is important to you, having a contingency plan is crucial for mitigating the risk of a potentially severe data disruption.
For example in February 2025, the Norwegian data watchdog warned, that should the DPF be revoked, restrictions could be imposed immediately without a transition period. This echoes past enforcement actions where authorities in Austria, France, and Italy ruled that the use of Google Analytics violated GDPR due to inadequate safeguards against US surveillance.
Update: To clarify, this post only considers data collection for web analytics purposes i.e. tools such as Google Analytics used to optimise site performance and its marketing. However, Schrems considerations impact the entire martech stack.
Contingency A – collect within EU data sovereignty
Consider running a data collection tool with data sovereignty within the EU (or other adequate country) alongside your current set up. I use the term data sovereignty deliberately as this is quite different to data location – where servers are physically located. Data sovereignty is the only way to solve the FISA 702 issue. That is, a US cloud company with servers based in the EU, is still subject to US laws.
Example analytics tools where data sovereignty can be set within the EU:
- Angelfish – a self hosted software solution (US company).
- Fathom Analytics – uses geo routing to isolate EU visitor data (Canadian company).
- Matomo – use the self hosted software option (New Zealand company).
- Piwik Pro* – has EU cloud and private cloud options (Danish company).
- Plausible Analytics – uses EU-owned cloud infrastructure (Estonian company).
Contingency B – collect only aggregate data
Can your web analytics requirements can be met with aggregate numbers i.e. data collected with no personal identifiers? If it can, then you can avoid the whole Schrems III data transfer/data sovereignty nightmare. However there is strict criteria to meet this threshold. I refer to these as the CNIL guidelines, as it was the French data protection authority that first detailed them.
BClifton: “It’s a myth that meaningful data analysis requires personal identifiers—it doesn’t. Only remarketing and personalised ads rely on them. You can optimise campaigns and websites effectively without collecting personal data. I’ve built my career proving exactly that.”
CNIL lists solutions that can be configured without collecting personal identifiers. Consider running one of these tools alongside your current setup:
- Piwik Pro* – covered by this configuration guide.
- Matomo – covered by this configuration guide.
- Piano Analytics covered by this configuration guide.
- Adobe Analytics covered by this configuration guide.
- Potential others listed by CNIL.
Summary
This post highlights the importance of contingency planning to mitigate the business risk of losing valuable data should the Trans-Atlantic Data Privacy Framework be annulled. Organisations must adopt a proactive approach to data governance in order to mitigate risk. Running tools that are configured for privacy by design, or the removal of personal identifiers, offer an alternative way forward to the current approach of collecting personal identifiers. These solutions can run alongside existing set ups as a “dual approach” to collecting user-data (best of both worlds scenario), while the legal landscape continues to evolve.
*DISCLOSURE: I am a member of the Piwik PRO advisory board and I have written about why here. To be clear, this post is not being compensated for, or requested by Piwik PRO. All posts are my own independent thoughts.
Great article as always, Brian.
I appreciate how you highlight the contingency planning around the “web analytics” aspect, though I’d argue it’s just one piece of a broader issue. It’s worth revisiting the entire martech stack and reassessing dependencies on U.S.-based vendors overall.
Good point Stéphane. I should clarify that my focus is very much around web analytics as the central place for measuring website performance. As you mention, any data collection involving personal identifiers should be considered.