Skip to content

New Data Protection Framework comes into effect

On July 10, 2023, a new Data Protection Framework (DPF) for the transfer of personal data between the EU and the USA came into effect. The DPF replaces the previous Privacy Shield system, which did not provide sufficient protection for personal data.

Tatu Kallonen, August 16, 2023

From now on, personal data can be transferred from the EU to the USA without any additional measures, as long as the US company is DPF-certified. A certified company commits to securing its data according to GDPR data protection principles and providing equal protection to personal data. Both Google and HubSpot are DPF-certified companies.

Note: DPF cannot be used for data transfers between public sector entities.

You can find all DPF-certified companies here.

What does this mean in practice?

The use of tools such as Google Analytics and HubSpot on websites is legally permitted under the DPF. However, obtaining user consent is still required for collecting personal data and setting cookies. If data collection is done without user consent, this must be done without the use of cookies and the data must be anonymized.

It’s worth keeping in mind that similar systems have been attempted twice before between the EU and the USA. The EU Court of Justice invalidated the Safe Harbour Agreement in 2015 and the Privacy Shield framework in 2020. Therefore, there is no certainty that the DPF will remain in place. It’s still a good idea to consider alternative analytics tools like Matomo and Piwik PRO, just in case.

If you’re interested in the trends in web analytics and GDPR, stay tuned – we’ll continue to write about all the important changes on our blog.