Is my data safe when it goes to the US?

EU-US data flows run on the Data Privacy Framework — the third attempt after courts killed two predecessors. It works for you day-to-day, gives you a redress route, and lives under permanent legal siege.

Whenever you use US-based services, your data crosses the Atlantic — lawfully only under GDPR Chapter V. The history in one line: Safe Harbour died in court (Schrems I, 2015), Privacy Shield died in court (Schrems II, 2020 — US surveillance law vs EU rights), and since July 2023 the EU-US Data Privacy Framework (DPF) is the adequacy decision that keeps the pipes legal, resting on new US limits on intelligence collection and a redress court for Europeans. What it means for you: transfers to DPF-certified US companies are lawful without extra safeguards; you can check any company against the official DPF list, and you get a free complaint route — via your DPA — that can reach the US redress mechanism. Companies outside the list fall back on standard contractual clauses plus case-by-case safeguards (that is what their privacy policies mean by “SCCs”). The siege part: legal challenges and EU-US political swings keep the framework’s long-term survival genuinely uncertain — the CJEU ended both predecessors, and privacy litigants are aiming for the hat-trick. If it falls, expect a scramble like 2020, not an overnight data stop. We track that fight on What’s changing. Practical posture: for sensitive material, prefer end-to-end-encrypted services where the provider cannot read content regardless of jurisdiction — treaty architecture matters less when there is nothing legible to hand over.

Verified against the sources above on 18 July 2026. Information, not legal advice.

← Privacy explained📞 Your data protection authority