Data Privacy Framework Program on Fire

Preparing for Changes: Action Guide for Website Operators Amid EU-US Privacy Framework Turmoil (Update)

The End of the EU-US Data Privacy Framework under Trump? The Impact on Websites and What You Can Do Now.

Much of modern websites rely on services that come from the USA. For all this to work, there needs to be a legal basis, previously the Privacy Shield. Its successor is the "EU-US Data Privacy Framework."

Gaps are emerging in the first days of Trump's term. Why should you care? Because it can quickly happen that one of the parties overturns the agreement, and we as companies are back in a legal gray area when using one of these services.

Update from February 21, 2025

In the original version of this article dated January 24, 2025, initial gaps in the agreement were mentioned.

Since then, President Trump's administration has dismissed members of the Privacy and Liberties Oversight Board (PCLOB).

This has led to the failure to meet the conditions of the data privacy agreement between the EU and the USA, which in turn compels the European Parliament to act.

This could soon signify the official end of the data privacy agreement.

Let's take a step back before we look at the impacts on websites and explore what can be done.

Basics: The EU-US Data Privacy Framework

The EU-US Data Privacy Framework is a legal agreement designed to transfer personal data safely from the EU to the USA. The main features include:

  • Stronger safeguards: New legal requirements limit surveillance by US intelligence services and ensure that access to data from the EU is necessary and proportionate.
  • Remedies: The Framework provides EU citizens with expanded options to address misuse of their data, including access to a new review court.
  • Monitoring and Compliance: Compliance with the Framework is regularly reviewed by US and EU authorities, with companies required to self-certify and disclose their privacy practices.

Okay, and why do we actually need this? "Generally EU law prohibits exporting personal data outside of the EU since 1995, unless there is an absolute need (e.g. when sending an email to any non-EU country) or when the non-EU country provides "essentially equivalent" protection of personal data of Europeans." (Source: Noyb.eu)

You can find a very detailed description of this framework by Thomas Schwenke here (German!) or of course at Wikipedia.

The current problem

Regarding the issues with the deal, Max Schrems has commented: "This deal was always build on sand, but the EU business lobby and the European Commission wanted it anyways. Instead of stable legal limitation, the EU was agreeing to executive promises that can be overturned in seconds. Now where the first Trump waves hit this deal, it may soon dissolve in seconds and bring many EU businesses into a legal limbo. [...]" (Source: Noyb.eu)

Attorney Thomas Schenke writes about it on LinkedIn

Screenshot of Post from Thomas Schwenke

Why should you care?
... or what does that mean for your own website.

As soon as the agreement collapses, you are in a legal gray zone with all services that are based on this agreement. At the end of the day, that includes everything that runs through the USA. Simple check for you: Open the privacy policy of your website and search for "Data Privacy Framework". Everything that appears is on your list of potential problems.

For example: Vimeo, Webflow, Cloudflare, WhatsApp, Google Tag Manager, Google Analytics, Google reCAPTCHA, YouTube, Facebook Pixel, Calendly ... sh*t!!

Alternatively, you could also visit websites and click "Reject" on the cookie banner. Much of what then disappears is affected, as you can see from the list, including things you as a visitor cannot see.

Visualization of a web site with and without cookie consent

You can also check the list here: https://www.dataprivacyframework.gov/list

If you go through the list, you'll quickly realize that a website is only a small part of the problem. The framework regulates much of our daily life and work on the internet.

What to do as a website operator?

Okay, just quickly swapping out Webflow as the basis for a website will be difficult to impossible. Your data protection officer can start with a "data protection impact assessment," but you can go through the list and seek alternatives in the EU for everything else.

Review and adjust tools

  • Assess the necessity of each software: Can you do without Google Analytics in the long run and use privacy-friendly alternatives from the EU? (Yes, they exist, e.g., SimpleAnalytics)
  • Local hosting: Integrate scripts and files directly on your website instead of loading them from external sources.
  • Reduce marketing tools: Minimize the number of tools that capture user data. Consider what you really need and what is just frills.

Replacement for embedded content

  • Replace content such as maps and videos with privacy-friendly alternatives.
  • Maps: Consider whether interactive maps are necessary or if a simple link suffices. Honestly, the Google Maps map on your website was never really usable.
  • Videos: Remove platforms like YouTube and Vimeo and consider alternatives for privacy-first video hosting that do without tracking and consent. (HINT HINT: We know one. Us!)
  • Fonts and Captchas: Host Google Fonts locally and use reCAPTCHA alternatives like Friendly Captcha.

Choose new providers from the EU

Select new providers from the EU so you can permanently solve the problem. All these agreements are a never-ending saga.

But frankly, this is also a win-win for your website visitors. Because much from the list is currently only possible if they click Agree on the cookie banner. Sometimes, for everyone else, only an unsightly skeleton of a website remains. (see image above)

Why do we care?

Take a look at our mission. The web is broken. Cookie banners, invasive technologies, such complicated frameworks have destroyed the user experience and setback modern websites.

Video Hosting in Europe

Instead of hanging around in a legal gray area again and hoping that such an agreement holds up, how about we just solve the problem? This can only be done – for websites – if data protection and user experience are considered together. We've done this for video hosting and developed Ignite. It's the only solution that delivers videos cookie-free and without consent, compliant with GDPR, without relying on these frameworks and without compromising the performance on your website.

We believe we need more solutions from the EU for the EU.

About Ignite See or offer on European Video Hosting