EU Freelancer Working With US Clients: GDPR Rules
Short answer: if you are an EU-based freelancer handling personal data for US clients, GDPR still follows that data across the Atlantic, and our posture verdict is USE WITH CAUTION — the legal route exists today (the EU-US Data Privacy Framework), but it sits on shaky political and judicial ground as of June 2026. You can work with US clients lawfully, but only if you check the transfer basis for every tool and contract, not assume it. This guide (policy reviewed June 2026) walks through what actually applies to a solo operator: when you are a controller, when you are a processor, which transfer mechanism covers your US-hosted AI and cloud tools, and the concrete steps that keep a one-person business out of trouble. None of this counts as legal advice — it is a plain-English map of the rules as written.
What the GDPR rules actually require here
EU data-protection rules attach to personal data about people in the EU, not to where you or your client sit. So a freelancer in central France writing copy for a Texas startup is still inside GDPR’s scope the moment they touch an EU resident’s name, email, or call recording — even if the paying client is American. The cross-border question is separate: sending that data to a US-based recipient (your client, or a US-hosted tool) is a “transfer to a third country” that needs a legal basis under Chapter V of the GDPR.
| Question | What applies (as of June 2026) |
|---|---|
| Does GDPR follow EU client data to the US? | Yes, if the data is about EU people |
| Main legal route for US transfers | EU-US Data Privacy Framework (adequacy) |
| Backup route if recipient not certified | Standard Contractual Clauses plus a Transfer Impact Assessment |
| Is the Framework currently valid? | Valid, but a CJEU appeal is pending |
| Who is responsible for the transfer? | The data exporter (often you) |
| Records you must keep | Processing records and contracts, even solo |
Here is the load-bearing detail. The EU-US Data Privacy Framework (DPF) is a valid adequacy decision and, per the European Commission’s published guidance, was upheld by the EU General Court in September 2025. If your US client or US tool vendor is self-certified under the DPF, transfers to them ride on that adequacy and need no extra contract. If they are not certified, you fall back to Standard Contractual Clauses (SCCs) plus a Transfer Impact Assessment, per the Commission’s SCC Q&A. We explain how we vet privacy claims before relying on any vendor’s certification status.
Two practical traps live inside that detail. Certification is per-vendor and time-bound: a US tool can be on the Data Privacy Framework list this quarter and lapse the next, so a check you did in January is not evidence you can lean on in June. And certification is also per-purpose — an organization may self-certify for HR data but not for the commercial data you are actually sending, so reading the scope of the listing matters as much as confirming the company appears on it. For a solo freelancer, the honest takeaway is that “they’re a big US company, surely they’re covered” is not a transfer basis. The basis is either a current, in-scope DPF listing or your own SCCs plus a Transfer Impact Assessment — and the burden of proving one of those sits with you as the exporter, not with the client who hired you.
What this means for solo freelancers
The practical risk for a one-person business is not a regulator knocking on your door tomorrow — it is signing client contracts and wiring data through US tools on assumptions you never checked. Based on the rules as written, three scenarios carry real exposure.
First, the “the client handles compliance” trap. If a US client tells you GDPR is their problem, that only holds if you are a processor acting on their documented instructions. The moment you decide what data to collect or how long to keep it — picking your own CRM, your own transcription tool — you act as a controller, and the transfer obligations land on you. Misreading this is the most common solo mistake.
Second, the silent-tool transfer. You paste an EU customer’s support emails into a US-hosted AI assistant to draft replies. That is a transfer to a US recipient. If the vendor is not DPF-certified and you have no SCCs in place, the transfer has no Chapter V basis as written — a gap you created without noticing.
Third, the Framework-only bet. Relying solely on the DPF carries a valid basis today, but the appeal in Case C-703/25 P is pending, the US oversight body (PCLOB) reviewing the Framework’s safeguards is in legal limbo, and the privacy group NOYB has signaled a possible “Schrems III” challenge. If adequacy is struck down, as it was twice before, DPF-only transfers lose their basis overnight. Carrying SCCs as a backup is the cautious posture.
A fourth, quieter risk is scope creep across a long engagement. You may start as a processor drafting emails to a client’s exact brief, then drift into deciding which analytics tool to bolt on or how to segment a mailing list. Each of those decisions can flip you into controller territory for that slice of data, and the transfer paperwork that the client was carrying no longer covers your side. Re-checking your role at each new task — not just at the contract signing — is the discipline that keeps a solo business clean as the work evolves.
How to handle it safely
Concrete steps, not vibes. Do these in order before your next US engagement.
- Classify each engagement. Write down, per client, whether you are a controller (you decide purposes) or a processor (you follow their instructions). This one decision drives everything else.
- Check certification. Look up each US client and each US tool vendor on the official Data Privacy Framework list (dataprivacyframework.gov). Note the date you checked — certifications lapse.
- Get the contract right. If a recipient is not DPF-certified, attach the European Commission’s current SCCs to the agreement and complete a short Transfer Impact Assessment describing the data, the recipient, and the safeguards.
- Minimize before you transfer. Strip names, redact identifiers, and pseudonymize client data before it ever reaches a US-hosted AI tool. Less personal data crossing the border means less exposure.
- Prefer EU-hosted or opt-out tooling. Where a tool offers EU data residency or a no-training switch, turn it on and keep a screenshot.
- Keep a one-page record. Solo operators still owe Article 30-style processing records: what data, why, where it goes, how long you keep it.
A quick note on why the order matters: classification before certification before contracts. If you skip straight to attaching SCCs without first deciding whether you are a controller or processor, you may attach the wrong clauses (the SCCs come in different modules for controller-to-processor, processor-to-processor, and so on). And if you check certification before classifying, you can waste time vetting a vendor for a transfer you were never the responsible exporter for in the first place. Working the list in sequence is what turns a vague worry into a defensible position you can show a client.
Privacy-friendlier tools for cross-border work
You cannot contract your way out of a leaky tool stack, so the cleanest move is to run client data through services that keep it in the EU or encrypt it end to end. These are matched to the documents, mail, and credentials a cross-border freelancer actually handles.
- Proton (proton.me). Swiss-based, end-to-end encrypted mail, calendar, and Drive. What it gives you that a generic US inbox does not: EU/Swiss hosting and zero-access encryption, so the provider cannot read client material. Free tier to start; paid plans run roughly 4 to 10 euros per month. Best for freelancers who email EU client data daily.
- Tailscale (tailscale.com). A private mesh network so you reach your own machines without exposing files to a third-party US cloud. What it adds: client files stay on hardware you control instead of a shared SaaS bucket. Free for individuals; team tiers in the low-single-digit dollars per user. Best for devs and consultants moving project files.
- Bitwarden (bitwarden.com). Open-source password manager with optional EU data hosting. What it gives you: encrypted credential storage you can pin to an EU region. Free tier covers solo use; premium is about 10 dollars a year. Best for anyone juggling US client logins.
- A hardware security key such as a YubiKey on Amazon hardens the accounts where that client data lives — phishing-resistant 2FA that no US-side breach of a password can defeat.
For a vetted VPN to lock down transfers on public networks, NordVPN via our partner link keeps your connection encrypted, though a VPN is a transport safeguard, not a substitute for a transfer basis.
The pattern across all of these is the same: shrink the amount of EU personal data that ever crosses the Atlantic, and keep what does cross under encryption you control. A tool stack built this way does not erase your paperwork duties, but it shrinks the blast radius if a US-side provider is breached or if the adequacy ground shifts under your feet. For a freelancer, that resilience is worth more than any single feature, because you are the whole compliance department — there is no separate security team to clean up after a bad vendor choice.
The verdict
ATP Privacy-Vetted: USE WITH CAUTION
Verdict: USE WITH CAUTION. An EU freelancer can lawfully serve US clients today, because the EU-US Data Privacy Framework provides a working adequacy route and Standard Contractual Clauses plus a Transfer Impact Assessment cover the rest — but the Framework’s pending CJEU appeal and the standing “Schrems III” threat mean a DPF-only posture is fragile, so check every recipient’s certification, keep SCCs as a backup, and minimize the personal data you send across the border.
FAQ
Does GDPR apply to me if my client is American?
Yes, where the data is about people in the EU. GDPR scope follows the data subjects, not the client’s location. If you process an EU resident’s personal data while working for a US company, the rules as written still apply to your handling of that data, and you remain responsible for how it is collected, stored, and transferred onward.
Can I send EU client data to a US-based AI tool?
Only with a valid transfer basis. If the vendor is self-certified under the EU-US Data Privacy Framework, the transfer rides on that adequacy. If it is not certified, you need Standard Contractual Clauses plus a Transfer Impact Assessment in place first. Without one of these, the transfer lacks a Chapter V basis as the rules are written.
Am I a controller or a processor when freelancing?
It depends on who decides the purpose. If your US client documents exactly what to do and you only follow instructions, you are usually a processor. If you choose what data to gather, which tools to use, or how long to keep it, you act as a controller and carry the transfer duties yourself. Many solo workers are controllers without realizing it.
Is the EU-US Data Privacy Framework still valid in 2026?
As of June 2026 it remains valid, and the EU General Court upheld it in September 2025. However, an appeal before the Court of Justice (Case C-703/25 P) is pending and the privacy group NOYB has signaled a possible further challenge. The Framework works now, but treating it as permanent is risky; many freelancers keep Standard Contractual Clauses as a fallback.
Do I really need written records as a one-person business?
In most cases, yes. The GDPR’s records-of-processing duty has narrow exemptions that rarely fully cover a freelancer handling client personal data regularly. A simple one-page log of what data you hold, why, where it goes, and how long you keep it is the practical baseline and the first thing useful if a client or authority ever asks.
Sources
- EU-US Data Privacy Framework, European Commission adequacy decision and General Court ruling (Sept 2025) — retrieved 2026-06-29: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection_en
- European Commission, New Standard Contractual Clauses — Questions and Answers — retrieved 2026-06-29: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/new-standard-contractual-clauses-questions-and-answers-overview_en
- Official EU-US Data Privacy Framework certification list — retrieved 2026-06-29: https://www.dataprivacyframework.gov/
- Case C-703/25 P (pending DPF appeal) and “Schrems III” signals, public reporting — retrieved 2026-06-29: https://noyb.eu/en
Reviewed by Jérémy, founder of AidTaskPro and GreenBudgetHub. Based in central France. Privacy posture sourced from public policies and vendor documentation as of 2026-06-29.
Get Your Free Cybersecurity Checklist
Protect your digital life in 5 minutes. Free checklist + weekly productivity & security tips.