EU-US Data Transfers Explained: SCCs, the Data Privacy Framework, and What Your Website Must Do

How EU-US data transfers work under GDPR: the Data Privacy Framework, SCCs, BCRs, the Schrems history, and the DPF's current legal status.


by Riad Us Salehin • 4 July 2026


An EU-US data transfer moves an EU or EEA resident's personal data to the United States, which GDPR restricts unless a lawful transfer tool applies. The main tools are the EU-US Data Privacy Framework and Standard Contractual Clauses.

This guide covers both mechanisms, Binding Corporate Rules, the Schrems history behind them, and a dated verdict on the Data Privacy Framework's current legal status. It closes with what these transfers mean for a website using US tools, and how Consently supports the consent side of compliance.

What Is an EU-US Data Transfer?

An EU-US data transfer is any movement of an EU or EEA resident's personal data to a recipient in the United States. That recipient can be a controller or a processor. GDPR treats the US as a "third country" and restricts these transfers unless a lawful transfer tool applies.

The GDPR definition covers more than a simple file upload. It includes personal data sent to a US-based cloud host, a US analytics provider, or a US email platform. It also covers any US company that processes data on an EU business's behalf. It does not automatically cover data an EU resident submits directly to a US company with no EU establishment. That distinction matters and gets its own section below.

A transfer requires a lawful basis under the GDPR framework, specifically Chapter V, before it happens, not after. Most businesses meet that requirement through one of two mechanisms: the EU-US Data Privacy Framework or Standard Contractual Clauses.

Why Does GDPR Restrict Transfers to the US? (Chapter V)

GDPR Chapter V, Articles 44 through 50, bars sending personal data to a third country unless the destination provides an adequate level of protection. The United States has no blanket adequacy finding covering every US company, so businesses need a specific transfer tool for each recipient.

The restriction exists because EU law protects personal data even after it leaves the EU. Article 44 states the general principle plainly: any transfer to a third country must not undermine the level of protection GDPR guarantees. That protection extends to the EU Charter of Fundamental Rights too.

US government surveillance law is the specific concern behind the US carve-out. Two statutes drive it.

  • FISA Section 702 lets US intelligence agencies compel US companies to disclose data about non-US persons for foreign intelligence purposes.
  • The US CLOUD Act requires any US company to produce data it controls when served with a warrant, regardless of where that data is physically stored.

Neither statute gives an EU resident the kind of judicial redress GDPR requires. The Court of Justice of the European Union flagged that gap in 2015 and again in 2020. Every subsequent EU-US transfer deal has built in a redress mechanism aimed at satisfying it.

Read other privacy regulations for how this transfer restriction fits into the broader compliance map beyond the EU-US relationship.

What Are the Ways to Transfer Data Legally? (Transfer Mechanisms)

GDPR Chapter V gives four routes for a lawful US transfer. They are an adequacy decision (the Data Privacy Framework), Standard Contractual Clauses, Binding Corporate Rules, and narrow Article 49 derogations. Most SMB websites rely on the first two.

MechanismWhat it isBest forGDPR basis
Data Privacy FrameworkUS company self-certifies to a public compliance listAny US vendor already on the DPF ListArticle 45 (adequacy)
Standard Contractual ClausesPre-approved contract clauses signed between exporter and importerVendors not DPF-certified, or extra contractual assuranceArticle 46
Binding Corporate RulesInternal, DPA-approved rules across one corporate groupLarge multinationals moving data within their own groupArticle 47
DerogationsNarrow, case-by-case exceptionsOne-off or occasional transfers onlyArticle 49

Adequacy and the EU-US Data Privacy Framework (DPF)

The Data Privacy Framework is a self-certification program. A US organization commits to a set of privacy principles and registers with the US Department of Commerce. It then appears on a public list the European Commission recognizes as adequate. Once certified, that company can receive EU personal data without needing separate SCCs for that flow.

The European Commission adopted the DPF adequacy decision on 10 July 2023, under Article 45 GDPR. The decision followed Executive Order 14086, signed by President Biden. That order created new safeguards on US intelligence access and a redress body called the Data Protection Review Court (DPRC). Certification runs through the International Trade Administration and requires annual re-certification to stay on the public DPF List.

A DPF-certified vendor removes the need for a separate SCC for that specific transfer. Checking a vendor's status on the public list takes under a minute and settles the question directly.

The DPF adequacy decision remains formally in force as of July 2026, though its legal foundation is now contested. A dedicated section below gives the dated status verdict and the two challenges behind it.

Standard Contractual Clauses (SCCs)

Standard Contractual Clauses are pre-approved contract terms the European Commission issues for transfers to a country without an adequacy decision. A business signs them directly with its US vendor, and the clauses themselves carry the required data protection safeguards.

The Commission issued modernized, modular SCCs on 4 June 2021, replacing the older 2010-era clauses. The 2021 clauses split into four modules based on the parties' roles.

  • Module 1: Controller to controller
  • Module 2: Controller to processor
  • Module 3: Processor to processor
  • Module 4: Processor to controller

A business signs the module matching its relationship with the US vendor. Since the Schrems II ruling, SCCs also carry an extra duty the DPF does not. The exporter must run a transfer impact assessment (TIA) and add supplementary measures if the assessment finds the destination country's surveillance laws undercut the clauses. A DPF-certified transfer skips this step entirely.

For the full clause-by-clause breakdown, module selection guidance, and TIA process, see what SCCs are.

Binding Corporate Rules (BCRs)

Binding Corporate Rules are internal data protection policies a multinational corporate group adopts for transfers within its own entities. A lead EU supervisory authority approves them through the GDPR Article 63 consistency mechanism. That process pulls in the European Data Protection Board and often several national regulators at once.

BCR approval commonly takes well over a year. That timeline makes BCRs a fit for large multinationals moving data between their own subsidiaries. It rules them out for a small business sending data to an independent US vendor.

Derogations (Article 49)

Article 49 derogations are narrow, occasional exceptions to the transfer restriction, not a standing basis for regular data flows. The main derogations include the data subject's explicit, informed consent to that specific transfer, and transfers necessary to perform a contract with the data subject.

noyb is the privacy organization behind the Schrems rulings. It puts the limit plainly: Article 49 "does not allow to structurally offshore data from the EU" when the transfer is not strictly necessary. Regulators read derogations the same way. They work for a one-off transfer, not as a substitute for the DPF or SCCs on a recurring vendor relationship.

From Safe Harbor to Privacy Shield to the DPF: A Short History

The DPF is the third EU-US transfer deal in 25 years. The Court of Justice struck down each of its two predecessors. That repeated pattern is why practitioners still treat the current framework with some caution.

  • Safe Harbor (2000 to 2015): the first EU-US adequacy framework, invalidated by the CJEU on 6 October 2015 in Schrems I (Case C-362/14), largely over US government access to transferred data.
  • Privacy Shield (2016 to 2020): Safe Harbor's replacement, invalidated by the CJEU on 16 July 2020 in Schrems II (Case C-311/18). The same ruling upheld SCCs as valid in principle, but added the supplementary-measures duty described above.
  • Data Privacy Framework (2023 to present): adopted 10 July 2023, built around Executive Order 14086 and the new Data Protection Review Court, designed specifically to answer the Schrems II objections.

Each prior framework fell on the same two grounds: insufficient limits on US government surveillance, and no independent, effective redress for EU residents. The next section covers where the DPF's third attempt at solving that problem stands today.

Is the EU-US Data Privacy Framework Still Valid?

As of July 2026, yes: the DPF's adequacy decision remains formally in force, but its legal foundation is now seriously contested. Two separate developments explain why.

First, French MEP Philippe Latombe challenged the DPF directly. The EU General Court dismissed his claims and upheld the adequacy decision on 3 September 2025. It found the DPRC's independence and the US surveillance safeguards adequate. Latombe filed an appeal to the Court of Justice of the European Union (CJEU) in October 2025. That appeal remained pending as of mid-2026.

Second, and more significant, the US Supreme Court ruled 6-3 in Trump v. Slaughter on 29 June 2026. The ruling lets the president remove Federal Trade Commission commissioners at will, striking down their statutory for-cause removal protections.

The European Commission's adequacy decision cites the FTC's independence as an enforcement backstop 259 times. EU law requires that kind of oversight to be genuinely independent. The ruling strikes directly at the DPF's stated basis.

noyb, the organization Max Schrems founded, won both prior Schrems cases. It called the DPF's foundation "dead" after the ruling. noyb announced it will file a new CJEU annulment suit within weeks. Such litigation, it noted, typically takes two to three years to reach a final decision.

noyb also confirmed the practical reality for now. In its own words, the adequacy decision "is formally in force until either the European Commission repeals it or the Court of Justice annuls it". So there is no automatic, immediate loss of DPF coverage.

A separate US oversight body compounds the concern. The Privacy and Civil Liberties Oversight Board (PCLOB) reviews US intelligence compliance for the DPF and feeds the European Commission's own annual DPF report. It has lacked a working quorum since three Democratic members, including its chair, were dismissed on 27 January 2025.

The practical read for a website owner is this: DPF certification is still a valid transfer basis today. No business needs to rip out a DPF-certified vendor overnight. But treat any "the DPF is settled law" claim as outdated. Expect a CJEU challenge to work through the courts over the next two to three years.

What Counts as a "Transfer" (and What Does Not)?

A transfer under GDPR Chapter V is a controller or processor subject to GDPR sending personal data to a recipient in a third country. Data an EU resident submits directly to a US company with no EU establishment is often not a Chapter V transfer at all.

That distinction trips up a lot of small US businesses. Picture a US-based company selling directly to EU customers, with no EU subsidiary or establishment. The customer's direct submission of their own data to that company is not itself an international transfer requiring SCCs.

The transfer question comes back into play the moment that US business brings in its own processors. Sending that same customer data to a US-based email platform, analytics tool, or hosting provider is a transfer. The data now moves from one entity to another across the Chapter V boundary.

A business can act as both a controller (selling to its own customers) and a processor (handling data on behalf of an EU client). That business needs SCCs for the processor relationship, even where its direct-to-consumer flow does not require them.

What EU-US Data Transfers Mean for Your Website

Most website owners using US analytics, hosting, email, or CDN tools need to confirm each vendor's transfer basis, not stop using US tools altogether. A short inventory settles most of the work.

  1. List every US tool that receives EU visitor data. Analytics, ad tags, email platforms, hosting, and CDNs are the usual culprits.
  2. Check each vendor against the DPF List. A DPF-certified vendor, like Google for Google Analytics and Google Ads, needs no separate SCC for that flow.
  3. Confirm SCCs are in place for any vendor that is not DPF-certified. Most major US SaaS vendors publish standard SCC terms in their data processing agreements.
  4. Get valid consent before non-essential tags fire. DPF or SCC coverage makes the transfer lawful; it does not replace the separate requirement to collect GDPR cookie consent before analytics or ad scripts load.
  5. Consider EU data residency where it is practical. Keeping EU visitor data on EU-hosted infrastructure sidesteps the transfer question for that data entirely.
  6. Keep records. A written list of vendors, their transfer basis, and consent logs is the paper trail regulators ask for first.

This checklist is one piece of a larger compliance picture. See the full GDPR compliance checklist for everything else a website needs.

How Consently Helps You Keep EU Visitor Data Compliant

Consently manages the consent layer for your EU visitors and keeps its own infrastructure in the EU. The records proving your compliance never leave European soil. It does not make your other vendors' US transfers lawful on its own; that still depends on each vendor's own DPF certification or SCCs.

Consently collects and documents GDPR-valid consent before your US analytics and ad tags fire. It shows the right banner automatically: an EU opt-in banner for European visitors, and a US opt-out banner for American ones, based on geotargeting. That solves the consent half of the compliance picture this article walks through.

Two features address the data-handling side directly. Consently hosts its own consent and account data on EU infrastructure in Frankfurt. The platform's own records about your visitors stay on EU soil rather than crossing the Atlantic.

A data processing agreement covering hosting region, subprocessors, and Standard Contractual Clauses is available on request, useful for your own vendor due-diligence file. Consent logs record each visitor's choice with a timestamp and country, exportable as your audit trail if a regulator ever asks for proof.

See Consently's GDPR cookie consent solution for the full feature set. Start a free trial to see the banner and consent log running on your own site.

FAQs

What is an EU-US data transfer?

An EU-US data transfer is any movement of an EU or EEA resident's personal data to a recipient, controller, or processor in the United States. GDPR restricts these transfers unless a lawful mechanism, such as the Data Privacy Framework or SCCs, applies.

Is it legal to transfer data from the EU to the US?

Yes, when a valid transfer mechanism covers the transfer. The main options are the Data Privacy Framework for DPF-certified vendors and Standard Contractual Clauses for everyone else. Binding Corporate Rules cover intra-group transfers, and narrow Article 49 derogations cover one-off cases.

What is the EU-US Data Privacy Framework in simple terms?

The Data Privacy Framework is a self-certification program. US companies register with the US Department of Commerce and appear on a public list the European Commission recognizes as adequate. That listing lets them receive EU personal data without separate SCCs.

Are Standard Contractual Clauses still valid?

Yes. The European Commission's 2021 modular SCCs remain a valid transfer mechanism. The older, pre-2021 clauses have sunset and must be replaced with the current modular versions for any active transfer.

Is the Data Privacy Framework still valid?

Yes, as of July 2026, but its foundation is contested. The EU General Court upheld it on 3 September 2025, and an appeal to the CJEU is now pending. A US Supreme Court ruling on 29 June 2026 then stripped the FTC's independence, prompting noyb to prepare a new annulment challenge. The adequacy decision stays in force until the Commission repeals it or the CJEU annuls it.

Do I need SCCs if my US vendor is DPF-certified?

No, not for that specific transfer. DPF certification gives that vendor an adequacy-based transfer basis under Article 45, so a separate SCC is not required for data flows to that vendor.

Does using Google Analytics count as an EU-US data transfer?

Yes. Google is DPF-certified, so the transfer itself has a lawful basis. A site still needs to collect valid GDPR cookie consent before Google Analytics tags fire; DPF coverage and cookie consent are two separate requirements.

What was Schrems II?

Schrems II is the CJEU ruling of 16 July 2020 (Case C-311/18) that invalidated the EU-US Privacy Shield over inadequate US surveillance safeguards and redress. It upheld SCCs as valid but added a duty to assess and, where needed, supplement them.

What happens if there is no valid transfer mechanism?

The transfer is unlawful under GDPR Chapter V. Regulators can order the transfer suspended, issue formal warnings, and impose fines. Exposure scales under the same GDPR penalty structure that applies to other violations.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.