Crossing the Atlantic: How Your Data Travels Safely Between the EU and U.S.
Rochelle Osei-Tutu, CIPM, CIPP/E, Deputy Director, Privacy Operations, BBB National Programs
When you order something from a U.S. retailer while staying in Europe, stream a movie hosted on servers abroad, or use an American software service at work, your personal data is likely crossing the Atlantic. But have you ever wondered how that’s allowed to happen legally?
Behind the scenes, two important mechanisms are making this possible: the Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). They’re not household names, but they play a huge role in keeping global digital life running smoothly.
For years, businesses worried that any new deal might collapse under legal pressure. But a case known as the Latombe complaint changed that. For the first time, a European high court made a decision to dismiss the complaint and further reaffirm the validity of the DPF, giving companies-and individuals-new confidence that this framework has staying power.
In short: smoother business, stronger safeguards, and more trust on both sides of the Atlantic.
SCCs (sometimes referred to as model contract clauses) are contractual agreements between two parties to ensure that data protection safeguards are in place when personal data is transferred to countries outside of the European Economic Area (EEA). SCCs are pre-approved by the European Commission and there are a few SCCs available depending on the type of transfer that is taking place:
Here’s the difference between the DPF and SCCs in plain terms:
Both mechanisms are designed to give individuals peace of mind that their personal data is protected and handled responsibly.
For consumers, the takeaway is simple: these agreements mean that your data doesn’t lose its protections just because it crosses a border.
If your organization is interested in the DPF in particular, BBB National Programs is here to help. BBB National Programs serves as an independent recourse mechanism and verification provider for the DPF program. Check out our DPF Services page to learn more.
When you order something from a U.S. retailer while staying in Europe, stream a movie hosted on servers abroad, or use an American software service at work, your personal data is likely crossing the Atlantic. But have you ever wondered how that’s allowed to happen legally?
Behind the scenes, two important mechanisms are making this possible: the Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). They’re not household names, but they play a huge role in keeping global digital life running smoothly.
A Long Journey: Finding Stability in Data Transfers
Europe and the U.S. have been working for decades to figure out how to share data fairly and legally, including:- Safe Harbor (2000–2015): The first major deal, struck down over surveillance concerns.
- Privacy Shield (2016–2020): A replacement that also didn’t survive court scrutiny.
- Data Privacy Framework (2023–present): The newest system, designed with much stronger safeguards, particularly as it pertains to national security and the court’s review process.
For years, businesses worried that any new deal might collapse under legal pressure. But a case known as the Latombe complaint changed that. For the first time, a European high court made a decision to dismiss the complaint and further reaffirm the validity of the DPF, giving companies-and individuals-new confidence that this framework has staying power.
Why the DPF Matters for Businesses and Consumers
The DPF is more than just legal fine print. It’s a practical solution that makes online life easier and safer.- For businesses: It reduces paperwork and uncertainty. A company certified under the DPF doesn’t need to negotiate separate contracts every time it wants to transfer data to the U.S.
- For consumers: It means more protection. If your data is misused, there are new ways to raise complaints and even seek redress in U.S. courts.
- For the economy: It supports huge trade flows - over 3,400 companies already participate, helping drive around $8.3 trillion in business between Europe and the U.S.
In short: smoother business, stronger safeguards, and more trust on both sides of the Atlantic.
Key Differences Between the DPF and SCCs
While the DPF is a U.S.-only program, Standard Contractual Clauses (SCCs) work globally. Both serve as legal toolkits that companies can use to send data outside of Europe.SCCs (sometimes referred to as model contract clauses) are contractual agreements between two parties to ensure that data protection safeguards are in place when personal data is transferred to countries outside of the European Economic Area (EEA). SCCs are pre-approved by the European Commission and there are a few SCCs available depending on the type of transfer that is taking place:
- transfers from a data controller in the EEA to another data controller outside the EEA;
- transfers from a data processor in the EEA to a data sub-processor outside the EEA;
- transfers from a data controller in the EEA to a data processor outside the EEA; and
- transfers from a data processor in the EEA to a data controller outside the EEA.
Here’s the difference between the DPF and SCCs in plain terms:
- DPF: Like joining a certification club. Once a U.S. company is in, transfers from Europe are simpler and automatically recognized.
- SCCs: Like signing a contract every time. More flexible because they can apply to any country. However, they take much more effort, are often more costly than the DPF, often require extensive legal review, and may require the implementation of supplemental data protection safeguards.
How Companies Choose
Not every business has the same needs, so they decide differently:- Smaller businesses that mostly work with U.S. partners often go with the DPF-it’s faster, cheaper, and more straightforward.
- Larger, global companies usually combine both DPF and SCCs. That way they’re covered for the U.S. and for data transfers to other countries worldwide.
Both mechanisms are designed to give individuals peace of mind that their personal data is protected and handled responsibly.
Why This Matters to You
You might not see the DPF or SCCs mentioned when you shop online or sign up for an app, but they’re working in the background every time your data travels.- Ordering vintage Louis Vuitton shoes from a U.S. website? Your payment info and shipping details might rely on the DPF.
- Storing files on a global cloud platform? SCCs could be the reason it’s allowed.
- Streaming your favorite show? Both mechanisms help ensure that your account and preferences are protected.
For consumers, the takeaway is simple: these agreements mean that your data doesn’t lose its protections just because it crosses a border.
The Bigger Picture
The DPF marks a new era in transatlantic data sharing-one that feels more stable than past attempts and better balanced between trade and privacy. SCCs also remain important as underwriting the global safety net, but together these mechanisms ensure that digital life continues seamlessly, whether you’re shopping, streaming, or collaborating with colleagues on the other side of the world.If your organization is interested in the DPF in particular, BBB National Programs is here to help. BBB National Programs serves as an independent recourse mechanism and verification provider for the DPF program. Check out our DPF Services page to learn more.