Editor’s note: This article was originally written by Thomas Weyr in 2000 and has been updated in April 2026 to reflect current context and ensure relevance for today’s readers.
- Tension: Western democracies publicly champion privacy as a fundamental right while consistently building systems that undermine it.
- Noise: Each new EU-US data framework is celebrated as a permanent fix, drowning out the structural contradiction that makes every fix temporary.
- Direct Message: The real threat to your data privacy has never been a lack of agreements — it’s that surveillance and commerce share the same infrastructure.
To learn more about our editorial approach, explore The Direct Message methodology.
In January 2000, the European Union made a move that barely registered in the American press. It sued five of its own member states — France, Germany, Ireland, the Netherlands, and Luxembourg — for failing to implement the bloc’s Data Protection Directive. Citizens in those countries were legally entitled to know when their personal data was being disclosed, whether related to credit scores, political affiliations, or any number of other sensitive categories. The governments had dragged their feet, and Brussels had finally had enough.
The action also sent a pointed message across the Atlantic. The EU’s Directive barred personal data from being sent to countries deemed to have inadequate privacy protections, and the United States was squarely in that category. Negotiators from both sides were scrambling toward a deadline, hoping to reach a compromise agreement by March of that year. The story seemed like a dry regulatory dispute. In retrospect, it was a preview of every privacy battle that would follow for the next quarter century and beyond.
The promise that keeps getting repackaged
The March 2000 deadline produced the Safe Harbor Framework later that summer, a self-certification scheme that allowed American companies to declare they were protecting EU citizens’ data. It was a workable, if imperfect, solution. For fifteen years, billions of dollars in transatlantic commerce flowed freely through it.
Then came Edward Snowden.
In 2013, Snowden revealed classified NSA documents that shed light on the US government’s surveillance practices. An Austrian law student named Max Schrems filed a complaint with Irish regulators, arguing that Facebook was sending his data to US servers that could not possibly guarantee EU-level protection given what the NSA was doing. In 2015, the Court of Justice of the European Union ruled Safe Harbor invalid, finding that US national security and law enforcement requirements essentially superseded the Safe Harbor principles, allowing US intelligence agencies broad access to data with insufficient limitations.
The response from policymakers was to negotiate a replacement. The EU-US Privacy Shield arrived in 2016. In July 2020, the European Court of Justice again determined that the Privacy Shield framework was invalid. Another round of negotiations followed, producing the EU-US Data Privacy Framework, formally adopted by the European Commission on July 10, 2023, allowing transfer of personal data from the EU to the US on the basis of the GDPR.
Three frameworks in twenty-three years. Each one hailed as the definitive solution. Each one built on a foundation the previous court had already declared inadequate.
Why the headlines keep missing the point
Each new agreement generates a predictable cycle. Privacy advocates warn that it fails to address structural problems. Legal experts predict another court challenge. Industry groups celebrate renewed certainty. Journalists write that the matter is, for now, resolved. Then, a few years later, a court agrees with the advocates.
The 2023 framework is currently navigating this same cycle. In April 2024, FISA Section 702, a major complaint of European privacy regulators, was reauthorized with an expanded scope. At the same time, disputes over the independence of US oversight mechanisms have intensified, including a legal challenge involving the Privacy and Civil Liberties Oversight Board in 2025. But the European Court of Justice has historically been more skeptical than the General Court in assessing US surveillance practices, and an appeal is already in motion.
The noise in this story is the framework-to-framework drama itself. Every time negotiators strike a deal, coverage focuses on what changed in the fine print. Did the new redress mechanism satisfy the CJEU’s requirements? Is the oversight board sufficiently independent? These are legitimate questions. But they crowd out the more uncomfortable one beneath them.
What the revolving door is actually telling us
Every agreement collapses for the same reason: the US government built its commercial internet and its surveillance infrastructure on the same pipes, and no self-certification scheme can separate them.
This is what the EU recognized in 2000 when it sued its own members and pressed Washington for stronger rules: privacy is not just a policy preference. For Europeans shaped by twentieth-century history, it is a structural safeguard. The American tradition is different. The US has never passed a comprehensive federal privacy law. It regulates by sector — financial data here, health data there — and has consistently treated national security access as categorically separate from consumer protection.
US national security and law enforcement requirements have historically superseded framework principles, and courts have found that US undertakings are bound to disregard, without limitation, the protective rules where they conflict with such requirements. No executive order, however carefully worded, fully changes that architecture. If the current framework collapses, the consequences for transatlantic data flows would be severe, with data protection authorities already indicating that standard contractual clauses may be insufficient to overcome the powers of the US government’s access to data.
A pattern worth recognizing before the next deadline
Twenty-six years after that January 2000 enforcement action, the underlying argument has not changed. European regulators believe privacy requires structural protection. American policy treats it as a compliance checklist. The result is a recurring negotiation that produces frameworks with expiration dates baked in, even if no one will say so publicly.
For businesses, this means that treating any current framework as a permanent solution is a strategic mistake. Every compliance team that built its transfer processes entirely around Safe Harbor, then Privacy Shield, then the current Data Privacy Framework, has had to rebuild from scratch. The organizations that built for the underlying principle — genuine data minimization, limited collection, meaningful consent — have required far less scrambling each time a court acts.
For individuals, it means that the most reliable protection for personal data has never been an international agreement. It has been pressure on the companies and governments that hold the data in the first place, combined with policy that treats privacy as a right rather than a negotiating chip.
The EU was right in 2000 to push for something more durable than a handshake. The thirty deadlines and framework collapses that followed were not failures of negotiating skill. They were the predictable outcome of two systems with genuinely different values trying to paper over a gap that agreements alone cannot close. The only way out of that cycle is to address what the cycle is actually about.
