Where your analytics data physically lives has become a legal question as much as a technical one. For European site owners using US-hosted analytics services, the EU–US data transfer rules determine whether you’re compliant — or quietly breaking the law every time a visitor lands on your page.
This isn’t abstract privacy theory. It’s the direct outcome of a decade of court battles that started with a law student in Vienna and ended up reshaping how every EU-based website operator has to think about their analytics stack. And the story isn’t finished yet.
In this article, I’ll walk through the legal history — from Safe Harbor to the current Data Privacy Framework — explain what the transfer-adequacy rules actually require of you, and show why EU-hosted or self-hosted analytics sidesteps the entire question. Note: this is educational context, not legal advice. For compliance decisions, consult a privacy lawyer who knows your specific situation.
What Is an EU–US Data Transfer, and Why Does Analytics Trigger It?
Under GDPR Chapter V, sending personal data from the European Economic Area to any country outside the EEA is a “third-country transfer.” Before that transfer can happen legally, one of three bases must be in place: an adequacy decision by the European Commission, Standard Contractual Clauses (SCCs) with a transfer impact assessment, or the data subject’s explicit consent.
The United States does not have a general adequacy decision. Instead, there’s a specific framework — more on that below.
Analytics triggers this the moment your script phones home to a US-based server. A visitor in Berlin loads your site. Your analytics tag fires. It sends that visitor’s IP address, browser fingerprint, and page URL to a US data center. That’s a transfer of personal data under GDPR — IP addresses are personal data in the EU, full stop.
So the question becomes: what framework, if any, makes that transfer lawful?
The Legal Timeline: From Safe Harbor to the Data Privacy Framework
The EU–US transfer saga has gone through four distinct phases since 2000. Each one ended (or is playing out) in a way that mattered directly to the analytics decisions you make today.
| Framework | Period | What happened |
|---|---|---|
| Safe Harbor | 2000–2015 | Commission adequacy decision; allowed EU→US transfers for certified companies. Struck down by CJEU C-362/14 (Schrems I) in October 2015 after Snowden revelations showed US surveillance programs were incompatible with EU fundamental rights. |
| Privacy Shield | 2016–2020 | Replacement adequacy decision negotiated in 2016. Also struck down — this time by CJEU C-311/18 (Schrems II) in July 2020. Court found US surveillance laws (FISA 702, EO 12333) still gave US intelligence services access to EU data without effective redress for EU persons. |
| Data Privacy Framework (DPF) | July 2023 – present | Third attempt. Commission issued an adequacy decision in July 2023. The US signed Executive Order 14086, creating a new Data Protection Review Court (DPRC) for EU complaints. DPF is currently valid. An EU General Court challenge (Latombe) was dismissed on 3 September 2025. |
| C-703/25 P — pending appeal | October 2025 – ? | Latombe appealed to the CJEU on 31 October 2025 (registered as Case C-703/25 P). No hearing date announced as of May 2026. noyb and Max Schrems continue related litigation. A future invalidation remains a genuine risk — but the DPF has not been struck down. |
The pattern is clear. Safe Harbor fell. Privacy Shield fell. The DPF is the current legal basis — and it’s standing as of today — but it faces live litigation at the highest EU court. Whether you want to bet your compliance posture on it is a business decision, not just a legal one.
What Schrems II Actually Changed (and Why It Still Matters)
Schrems II (C-311/18, July 2020) didn’t just kill Privacy Shield. It fundamentally changed how any EU–US transfer has to be justified, including those using Standard Contractual Clauses.
Before that ruling, SCCs were treated as a blanket solution. After it, the EDPB’s Recommendations 01/2020 required that every SCC-based transfer be accompanied by a Transfer Impact Assessment (TIA). You have to actually evaluate whether the legal system of the destination country provides equivalent protection. For the US, that assessment is genuinely difficult — because FISA Section 702 allows the NSA to compel US-based service providers to hand over data on non-US persons without any court order that an EU data subject could challenge.
In practice, this means that analytics tools relying on SCCs for their EU→US data flows aren’t automatically compliant just because they’ve signed SCCs. The controller — that’s you, the site owner — is partly responsible for that assessment. Most site owners don’t know this. Many analytics providers don’t highlight it either.
The DPF was specifically designed to fix the FISA 702 problem by creating the DPRC. Whether it does so adequately is precisely what Case C-703/25 P will decide.
How EU-Hosted and Self-Hosted Analytics Sidestep All of This
Here’s the clean solution: if the data never leaves the EEA, Chapter V of GDPR doesn’t apply. No transfer, no transfer-adequacy requirement, no exposure to whatever happens in the next round of US surveillance litigation.
This is the actual privacy advantage of EU-hosted SaaS analytics and self-hosted open-source tools — not just a marketing angle, but a structural legal benefit.
EU-hosted SaaS options
Plausible Analytics is incorporated in the EU and stores all data on EU servers (Hetzner, Germany and Finland). Their infrastructure doesn’t route through US providers for primary data storage. For most site owners, this is the simplest path: switch to Plausible, verify in their DPA that data stays in the EU, done.
Simple Analytics is based in the Netherlands and stores data within the EU by default. Zero cookies, no PII, no consent banner needed — and because data stays in the EU, no transfer-adequacy exposure either.
Fathom is worth noting here: they use EU isolation for EU visitors. When you enable their EU isolation setting, EU visitor data is processed and stored on EU infrastructure and never touches a US server. It’s not the default, but it’s available.
If you want to see how these tools handle GDPR compliance features in detail, I compared them in depth: GDPR compliance features in Plausible, Fathom, Umami, and Simple Analytics.
Self-hosted open-source options
Self-hosting puts you in full control. You pick the server location. Your data stays where you put it. No third party has access. For EU operators, that means you can run analytics on a German VPS and know with certainty that no EU–US transfer is happening.
Matomo is the most feature-complete self-hosted option — funnels, heatmaps, ecommerce tracking, full raw data access. The hosting and data stay entirely under your control when self-hosted.
Umami is lighter — a Node.js app with PostgreSQL or MySQL, simpler dashboard, easier to set up. If Matomo feels like overkill, Umami covers the essentials with minimal infrastructure requirements.
GoatCounter is even lighter: a single Go binary with SQLite or PostgreSQL. The script is ~3.5KB. It’s minimal by design, great for blogs and small sites. Author Martin Tournoij runs the hosted version at goatcounter.com, but self-hosting is completely free and the code is on GitHub under EUPL-1.2.
For a full breakdown of how to actually set these up on your own server, the self-hosted analytics complete guide covers the implementation side in detail.
What About Standard Contractual Clauses — Don’t Those Cover It?
SCCs are the backup mechanism when no adequacy decision exists (or for transfers that fall outside the DPF’s scope). They’re a contractual commitment by the data importer to uphold GDPR-equivalent protections.
The problem is that SCCs are contractual, not legislative. If a US analytics provider signs SCCs with you but is still legally compelled by FISA Section 702 to hand data to US intelligence agencies, the SCCs don’t protect that data — you can’t contract around US law. That’s precisely what Schrems II established.
In practice, the EDPB outlined six scenarios for evaluating SCC-based transfers. For most web analytics flows, Scenario 6 applies: the transfer can’t be supplemented to make it lawful if the destination country’s law authorizes access that fundamentally conflicts with EU essential guarantees. That’s a hard position to take off the table when FISA 702 is still in place.
None of this means SCCs are useless — they still matter for many transfer types, and the DPF addresses the FISA 702 concern (to a degree that courts are still evaluating). But if you’re using an SCC-only basis for a US-based analytics provider right now, you’re in a grey area that your DPA could challenge.
The Cookie-Free Dimension: A Separate but Related Issue
Transfer adequacy governs whether data can flow to the US. The ePrivacy Directive (the “cookie law”) governs whether you need consent to collect it in the first place.
These are two separate compliance requirements that both affect analytics. A tool can be cookie-free (so no ePrivacy consent needed) but still transfer data to the US (so transfer adequacy still applies). Conversely, a tool can use cookies with full consent management but store data in the EU (so no transfer issue).
The cleanest configuration — no consent banner needed and no transfer-adequacy exposure — is a cookie-free tool with EU data residency. Plausible, Simple Analytics, or a self-hosted Umami/GoatCounter all hit that combination.
I covered how cookie-free tracking actually works technically in a separate piece: cookie-free analytics: how it works and why it matters. Worth reading alongside this one.
What Should You Actually Do?
If you’re a European site owner evaluating your analytics setup right now, here’s the honest breakdown:
- If you’re on a US-based analytics service with DPF coverage: you’re currently on solid legal ground. The DPF is valid. However, Case C-703/25 P is pending. If history repeats — and it has, twice — the DPF could be invalidated. That’s a risk you’re carrying.
- If you’re on SCCs alone: you need a Transfer Impact Assessment. Most site owners haven’t done one. That’s an exposure that supervisory authorities can act on.
- If you switch to an EU-hosted tool (Plausible, Simple Analytics, Fathom with EU isolation): Chapter V doesn’t apply. Your exposure to future court decisions about DPF is zero.
- If you self-host: same result, plus you own the data entirely. Higher setup cost, full control.
The practical argument for EU-hosted or self-hosted analytics isn’t that the DPF is bad law. It’s that you eliminate an entire category of compliance risk — transfer adequacy — regardless of what happens in Luxembourg over the next two years.
Bottom Line
The EU–US data transfer rules are the product of a 25-year negotiation between EU privacy rights and US surveillance law. That negotiation isn’t over. The DPF is the current answer, it’s valid, and a French digital rights group challenged it in the EU General Court and lost in September 2025 — but the CJEU appeal (C-703/25 P) is alive.
For analytics specifically, the architectural solution is straightforward: use tools that keep EU visitor data in the EU. The transfer-adequacy question dissolves. You don’t need to predict how CJEU judges will rule on FISA 702 in 2027 if your analytics data never touched a US server to begin with.
That’s not a workaround. It’s how the regulation was designed to work — data stays where the rights apply.
Again: this article is educational context, not legal advice. If your business depends on getting this right, review your setup with a privacy lawyer who knows the specifics of your data flows.
