Safe Harbor was a data protection agreement between the EU and the US that was in place from 2000 to 2015 and was intended to enable data transfers between the two regions. It was based on self-certification by US companies that committed to complying with certain data protection principles without any external monitoring. The European Court of Justice declared Safe Harbor invalid in 2015 because the level of data protection in the US was considered insufficient and EU citizens were not granted adequate legal protection (Schrems I).

The EU-US Privacy Shield was introduced in 2016 as the successor to Safe Harbor and was intended to ensure a higher level of data protection for EU citizens when transferring personal data to the US. US companies could voluntarily certify themselves and had to comply with stricter data protection rules, with compliance being monitored and violations sanctioned. This agreement was also declared invalid by the European Court of Justice in 2020 due to continuing concerns about protection against access by US authorities and the lack of legal remedies for EU citizens (Schrems II).

The EU-US Data Privacy Framework has been the current legal framework for data transfers between the EU and the US since July 2023. It provides for new safeguards, including restrictions on access by US intelligence services and the introduction of an independent “Data Protection Review Court” for complaints from EU citizens. Only certified US companies may receive personal data from the EU, with the European Commission recognizing the level of data protection in these companies as adequate.

The US CLOUD Act obliges American companies to disclose data – even if it is stored on servers outside the US. If you use US-based cloud providers, there is therefore a risk that US authorities can access your data – without your knowledge or any control by European courts.

International data protection agreements such as the Trans-Atlantic Data Privacy Framework (TADPF) are intended to provide legal certainty for data exchanges between the EU and the US. However, such agreements are often criticized because they do not guarantee the same level of protection as the GDPR. Previous agreements such as Safe Harbor and Privacy Shield have already been overturned by the European Court of Justice, so companies should not rely solely on such agreements.

Following the collapse of the Privacy Shield agreement, the use of many US services is now legally problematic. According to the GDPR, the transfer of personal data to third countries without adequate data protection is only permitted under very strict conditions – and entails liability risks.

Digital sovereignty means that you always know and control where your data is located, who has access to it, and which laws apply to your infrastructure. This not only protects you from data leaks, but also from legal uncertainties and damage to your image.

With providers such as Myra, you are choosing a European, GDPR-compliant alternative that focuses on compliance, transparency, and security. This allows you to remain independent, auditable, and compliant with regulatory requirements — e.g., for critical infrastructure, the public sector, or data-sensitive industries.