The EU, USA, and GDPR: The latest news
A quick background
In the last few years, there have been some back and forth regarding the legality of sending personal data to American companies, as the US doesn't have the same stringent rules regarding personal data protection as the EU. In 2023, several EU countries banned Google Analytics as it was not considered GDPR compliant. Shortly after, the American president signed an executive order, implementing the EU-US Data Privacy Framework (DPF). With the new framework in place, the US was once again trusted to handle personal information about EU citizens. However, noyb quickly announced that they would challenge DPF, as they consider the framework a failed copy of previous deals.
If you want more information of the background, you can check out this article.
The current status
For now, the EU-US Data Privacy Framework is still in place, but there are some uncertainties about its future. Here’s why:
- DPF will be challenged by noyb as they do not feel it sufficiently protects the personal data of EU citizens [1].
- In January 2025, the US administration fired three Democrat members of the Privacy and Civil Liberties Oversight Board (PCLOB) [2], which has an integral role in the framework. The PCLOB is supposed to be an independent agency with bipartisan members [3].
- There have been several reports in 2025 of the US Department of Government Efficiency getting access to sensitive information [4], which could include information about EU citizens.
- The executive order implementing DPF can easily be revoked by the current president, who has already reworked many of the previous president’s executive orders [5].
- The European Data Protection Board (EDPB) reviewed the framework in 2024. In its report published in November 2024, the conclusions include several concerns:
- Lack of monitoring activities.
- Insufficient guidance for DPF-certified companies, and some of the certified companies may not be aware of the requirements for lawful transfers of personal data.
- More guidance regarding how to process HR data is also needed.
- Safeguard recommendations presented by PCLOB were not incorporated in the Reform Intelligence and Securing America Act passed in 2024, which was not viewed favorably by EDPB [6].
What does this mean?
Nothing has changed in regards to sending personal data to US companies, yet. However, the actions of the current US administration and the conclusions from the review by EDPB seem to give noyb a stronger case in their challenge of the EU-US Data Privacy Framework now, than they had back in 2023.
If you'd rather not get involved in all of this, choose a GDPR compliant company for your surveys and analytics. Extellio is one of them. You can start a free trial or book a demo below.
_______________________
[1] https://noyb.eu/en/european-commission-gives-eu-us-data-transfers-third-round-cjeu
[3] https://www.pclob.gov/About/HistoryMission
[4] https://www.npr.org/2025/03/11/nx-s1-5305054/doge-elon-musk-security-data-information-privacy
[5] https://thehill.com/homenews/administration/5196563-trump-biden-executive-orders-actions/
Updated: 21 March 2025