Almost 30 years of challenges with US data protection



Reading Time

5 minutes


European Cloud

Due to the current situation, in particular regarding the surveillance by U.S. authorities, many companies are having trouble meeting the requirements of the Schrems II decision and transferring personal data to the United States. The difficulty in this transfer of personal data to the U.S. lies primarily in the fact that there are laws and practices in the U.S. that do not guarantee data protection at a level equivalent to the EU. Notably, U.S. intelligence agencies have broad authority to monitor data and communications incompatible with EU data protection rules.

The nearly 30 years since the first EU Data Protection Directive (95/46/EC) was published in 1995, have been characterized by challenges around data transfer to the US. It will soon be 3 years since the ECJ invalidated the second agreement on the transfer of personal data from the EU to the US due to glaring shortcomings, and it will soon be a year since the EU and the US settled on a new agreement "in principle". It is unclear when this agreement will come into effect. At the heart of all these developments is a question that has remained largely unchanged since 1995: does personal data protection in the U.S. meet the EU's high standards?

A chronology of the most important events concerning the processing of personal data from the EU within the US:

October 24, 1995:

The EU passes the Data Protection Directive 95/46/EC, which contains basic rules for the handling of personal data. Data transfers to third countries are only permitted if adequate protection of said data during the transfer process is guaranteed.

Source: EUR-Lex EUR-Lex - 31995L0046 - EN - EUR-Lex (

July 26, 2000:

The Safe Harbor Agreement is introduced by the European Commission allowing companies to transfer the personal data of EU citizens to the U.S. as long as the relevant U.S. companies comply with certain data protection standards.

Source: EUR-Lex

June 9, 2013:

Former U.S. intelligence contractor Edward Snowden releases documents showing that the U.S. government had been collecting massive amounts of data from U.S. as well as foreign citizens. This included surveillance of EU citizens and companies.

Source: The Guardian

October 6, 2015:

The European Court of Justice (ECJ) issues a ruling invalidating the Safe Harbor Agreement, indicating that it did not provide adequate protection for personal data.

Source: European Court of Justice EUR-Lex - 62014CJ0362 - EN - EUR-Lex (

July 12, 2016:

The EU-US Privacy Shield Framework comes into force, providing a mechanism for companies to transfer the personal data of EU citizens to the US as long as the relevant US companies comply with certain data protection standards.

Source: European Commission EU-US data transfers (

May 25, 2018:

The GDPR, also known as the General Data Protection Regulation, comes into effect. It is a data protection regulation within EU law aimed at strengthening personal data protection and establishing coherent data protection standards across all EU member states. The GDPR replaces the previous EU Data Protection Directive of 1995 and introduces significant changes and augmentations to bring data protection in line with today's digital landscape.

July 16, 2020:

The ECJ declares the EU-US Privacy Shield Framework invalid as it does not provide adequate personal data protection. In addition, the ECJ further restricts the use of standard contractual clauses.

Source: European Court of Justice The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (

For further details please download our Whitepaper CLOUD Act.

September 9, 2020:

The Irish Data Protection Commission (DPC) issues a preliminary injunction against Facebook Ireland Limited and Facebook Inc. and calls for a suspension of personal data transfers from the EU to the U.S. based on standard contractual clauses.

Source: TechCrunch

May 14, 2021:

Facebook loses its case in the Irish High Court challenging the interim order to suspend data transfers.

Source: Irish High Court

June 4, 2021:

The European Commission publishes new standard contractual clauses with respect to the transfer of personal data to countries outside the EU. These clauses contain stricter requirements for businesses to ensure the level of data protection in the relevant destination country is adequate. The utilization of these clauses alone is generally not sufficient. Additional technical and organizational measures must be used to secure data transfers.

Source: European Commission

March 25, 2022:

The European Commission and the United States announce that they have agreed in principle on a new Transatlantic Data Protection Framework.

Source: European Commission

December 13, 2022:

The European Commission initiates proceedings to adopt an adequacy resolution relating to the EU-U.S. Data Protection Framework and publishes a draft adequacy decision on the "New Transatlantic Data Protection Framework" of March 25, 2022

Source: European Commission Commission publishes draft adequacy decision for the EU-US (

December 27, 2022: The transition period to switch to the new standard contractual clauses expires.

Source: Noerr International data transfer: Transition period for old standard contractual clauses ends on 27 December 2022 - companies urgently need to review their contracts (

February 14, 2023:

The Committee on Civil Liberties, Justice and Home Affairs issues a draft motion for resolution determining that the suggested “EU-US Data Privacy Framework fails to create actual equivalence in the level of protection” and strongly calls on the Commission not to adopt any adequacy decision.

Source: European Parliament

February 28, 2023:

In a statement relating to the draft of a third EU-US data protection agreement, the European Data Protection Board (EDPB) points to the fact that the ECJ is demanding “essentially equivalent protection” of data, therefore requiring further amendments.