EU-US data transfer: what European companies should know

Schrems II ruling was introduced in 2020. And ever since, data transfers to U.S. services like Google Analytics have faced legal uncertainty. The new EU-US Data Privacy Framework (DPF) aims to restore a lawful basis for these transfers. But an important question remains, is US data processing now truly GDPR‑compliant? And, can European businesses safely continue using American marketing or analytics tools?

Transferring personal data to the US is still possible, but not risk-free. The Data Privacy Framework simplifies compliance for certified organizations, yet legal uncertainty persists due to ongoing scrutiny by European courts.

In this article, we explain what the Data Privacy Framework means in practice, how to verify compliance, and why TAGGRS Server‑Side Tracking offers a safer and more future‑proof GDPR‑compliant alternative.

What is the EU-US Data Privacy Framework (DPF)?

The DPF is a formal agreement that allows organizations in the European Economic Area (EEA) to transfer personal data to U.S. companies certified under the framework. Overseas, American companies can voluntarily join the framework by self‑certifying with the U.S. Department of Commerce. To stay compliant, certified participants must:

• Publish and maintain a clear, public privacy policy that aligns with DPF principles
• Put internal monitoring and enforcement measures in place
• Respond to complaints and provide independent dispute resolution options.

Once certified, these organizations can legally receive personal data from the EEA without extra contractual or technical safeguards. But non‑compliance has consequences… the Federal Trade Commission (FTC) can take enforcement action, and violators risk being removed from the DPF list.

If a U.S. company isn’t DPF‑certified, data transfers are still possible but require other legal tools, such as Standard Contractual Clauses (SCCs), supported by additional safeguards like encryption or pseudonymization.

Want to learn more? Check out the Data Privacy Framework program.

Examples of personal data commonly transferred

• IP addresses
• Email addresses
• Device IDs and cookies
• Usernames or login data
• Customer metadata and CRM fields
• Birth dates or location data

Expert Tip

Even if your company “only” shares an IP address or hashed identifier with a U.S. service, this can qualify as personal data under the GDPR.

Why is the DPF still under review in the EU?

On one hand, the DPF brings more transparency and strengthens individual rights, but on the other its long‑term legal stability remains uncertain. Privacy advocates like NOYB have already challenged it, claiming that U.S. surveillance laws could still allow disproportionate government data access to European data. A future ruling by the Court of Justice of the European Union could – once again – reshape how EU-US data transfers work.

For European companies, this means relying exclusively on the DPF may not be a sustainable, long-term compliance strategy.

How to check if your data is protected (3-step verification)

Before sharing user data with any U.S. service provider, you can easily check if they are certified:

1. Visit the official DPF list 
2. Search for the company name (e.g., “Google LLC”)
3. Confirm that the company’s status is “Active” and check whether the specific service (e.g., Google Analytics or Google Ads) is covered.

Now, you are presented with 2 possible scenarios:

1. If covered, you may transfer data under DPF without additional measures.
2. If not covered, you must implement supplementary safeguards.

Supplementary safeguards for companies that are not DPF-certified

If your U.S. partner isn’t certified under the Data Privacy Framework, there are still ways to stay compliant. Here are three main options:

1) Use a transfer tool

You can rely on recognized legal instruments for data transfers outside the EEA, such as the Standard Contractual Clauses under Article 46 GDPR or Binding Corporate Rules (BCRs) for multinational organizations. These form the legal basis for sending data abroad while staying within GDPR limits.

2) Add technical and organizational measures

If needed, you can take additional measures to protect personal data.

The European Data Protection Board (EDPB) outlines several practical steps in its 

Recommendations for Measures Supplemental to Transfer Instruments, such as:

• End-to-end encryption before transfer
• Pseudonymization of data
• Data minimization and strict access control.

You should consider on a case-by-case basis what measure or combination of measures is necessary to properly protect personal data.

3) Move data handling to EU territories

Another sustainable approach is to keep data processing within the EU itself. Hosting, anonymizing, or handling data through EU‑based servers (for example, with a Server‑side Tracking setup) helps minimize cross‑border risks altogether.

Learn more about European Data Sovereignty with UpCloud and TAGGRS.

Why EU Server-side Tracking is often the more resilient strategy

Server-side Tracking inside the EU gives you:

• Control exactly what data is shared with third-party vendors through filtering or pseudonymisation before any transfer
• Ability to keep raw or sensitive data inside EU jurisdictions, reducing cross-border transfer risk
• Easier GDPR compliance and simplified breach/DSAR procedures because your organization stays in charge of data handling and retention.

By keeping tracking logic and user data within EU borders, companies gain a scalable setup that’s less dependent on uncertain legal frameworks such as the DPF. It futureproofs your data infrastructure and builds stronger trust with privacy‑aware customers. It’s important, though, to verify any provider’s claims by checking the actual hosting locations, subcontractors, and Data Processing Agreements (DPA).

In a nutshell: Server‑side Tracking with EU hosting is not only about compliance. It’s about putting data ownership and responsibility back in your hands, where it belongs.

How TAGGRS ensures that personal data is protected

TAGGRS offers hosting for Google Tag Manager Server-side Tracking and privacy‑enhancing tools like PII hashing and anonymization, designed to let marketing teams, DPOs, or data-driven professionals maintain both technical and legal control.

We help organizations stay GDPR compliant through several key features:

• Enhanced control over third‑party data: Server‑Side GTM lets you decide exactly which data points are shared with external services like Meta or Google, ensuring vendors only receive the information you approve.
  Learn why minimizing third‑party dependencies helps future‑proof your business: Cookies, privacy concerns and a future‑proof solution
• Effective data management: Server‑Side GTM supports advanced data handling, like hashing user information according to platform standards or cleaning URLs before sending them to ad or analytics tools, protecting sensitive data from exposure. Learn more in our Google Ads enhanced conversions documentation
• Proprietary server locations: TAGGRS operates on its own EU‑based infrastructure, meaning data stays within European borders. Keeping hosting local adds an extra layer of legal and technical security, helping your organization meet both GDPR and national compliance standards.
  Explore more insights in our blog post on GDPR and Server‑Side Tracking.
• Secure processing of sensitive information and PII with the TAGGRS GDPR tool: sensitive data such as email addresses or identifiers are anonymized or hashed before being processed, helping you align with GDPR obligations.
  Discover more about privacy rules for PII and personal data.

Check the server status. Anytime, everywhere.

Enter our legal hub to read our DPA and SLA per product.

FAQ: Data Privacy Framework & U.S. Data Transfers

Who can use the DPF?

Only those U.S. organizations that self-certify with the U.S. Department of Commerce and appear on the official DPF list may legally receive such data without additional safeguards. EU-based companies cannot participate; they can only transfer data to certified U.S. partners.

Why is TAGGRS not part of the DPF?

The DPF applies only to U.S. entities. TAGGRS is an EU-based provider that keeps data within European borders.

Is Google part of the DPF?

Yes, Google LLC participates under “Google Cloud,” “Google Ads,” and “Google Analytics.” Verify coverage for your service.

Are Transfer Impact Assessments still required under DPF?

While the DPF provides an adequate basis for transfers, EU regulators and privacy authorities recommend that European companies still perform a Transfer Impact Assessment (TIA) as part of their accountability obligations. TIAs help document risks, confirm DPF coverage for the specific service, and outline mitigation measures for sensitive data.

What if DPF is invalidated again?

Use SCCs plus supplementary safeguards like encryption and pseudonymization.

Should EU businesses rely exclusively on DPF or combine with supplementary measures?

Businesses should not rely solely on the DPF, given ongoing legal and regulatory uncertainty. The most resilient approach is to combine DPF usage (where unavoidable) with technical, organizational, and contractual safeguards — and implement EU-hosted Server-side Tracking wherever possible to minimize risk and simplify compliance.

Why choose EU Server-side Tracking?

EU-based Server-side Tracking (such as TAGGRS) keeps all user data within European-controlled environments, ensuring full GDPR compliance and eliminating dependence on international transfer frameworks. Businesses retain direct technical and legal control over personal data, reducing potential exposure to foreign surveillance or regulatory shifts.

Is the Data Privacy Framework GDPR-compliant?

The European Commission considers the DPF to offer adequate protection, but critics argue U.S. surveillance laws still pose risks. The NOYB privacy group and others continue to challenge its validity. If invalidated again, businesses must fall back on Standard Contractual Clauses (SCCs) and supplementary safeguards like encryption and pseudonymization.