The EU-US Data Privacy Framework(DPF), what does it mean for small businesses?

Team Flowing Horse
2 min readJul 15, 2023

On 10 July, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework(Link1 Link2 ). So what does this 136 pages adequacy decision mean for small businesses, especially for small e-Comerence merchants, SaaS providers, and data analysis service providers?

Based on our study, adopting the EU-US transatlantic data privacy framework solves the most tricky, uncertain yet very hard to comply part of doing online business in Europe from America. Why? let’s explain it in detail.

For web marketers and builders, you may use Google Analytics for tracking, data analysis, and reporting. You may also hear that Google Analytics is not completely complied with GDPR, even for the newly released and privacy-improved version GA4. The reason is related to eu-us data transfer, since Google Analytics processes most of the data in America Data Centers, and users can not choose where to locate their customer data. So using Google Analytics means transferring customer privacy data from the EU to the US, so the users of Google Analytics actually legitimately endanger themselves for they may violate GDPR.

And actually, if you are using any SaaS services, you are facing a violation of GDPR. Do not record customers’ IP addresses, or place cookie usage consent popups, those are actually pretty easy for merchants or extension developers to do. But storing, processing, and analyzing customers' data based on their locations, are far too complex or maybe impossible for small business owners, from implementation to management. This is not just buying 2 servers, one in the EU, and the other in the US, unless the services in each continent are isolated operated, and supported. This is far beyond the capability of a small technique team, and I don’t see any large SaaS capable of providing a unified yet internally geo-separated service.

So, to be legally certain, hosting a unified business both in the EU and in the US, having reasonable data architecture cost, would be an impossible triangular under a restricted EU-US data transmission protection. The eu-us DPF here eases the contradiction and brings the legal certainty to host a unified business in both the EU and the US.

Under the eu-us DPF, Google Analytics should have fully complied with GDPR, and so are a lot of SaaS providers. We think this is the one and most important thing eu-us DPF means for small businesses. The globalization+ benefits everyone, is coming back!