The Week "GDPR-Compliant" Stopped Being Enough
By Кононенко Евгений ПетровичPublished: 07 July 2026
The short version
In late June 2026, a U.S. Supreme Court ruling about how independent the Federal Trade Commission can be from the president reopened a fight over whether the main legal channel for moving European data to American servers — the EU-US Data Privacy Framework — still holds up. It's still formally in force, but European privacy advocates are now openly calling for it to be withdrawn, and nobody serious expects that question to resolve quickly. If your financial data's protection depends on that one legal mechanism staying intact, this is the week that stopped being a safe bet to ignore. We built ExtMoney's data architecture so that, for the parts of the product that matter most, that question doesn't need to come up at all.
Wait, what actually happened
Here's the short version, without the legal-newsletter jargon. Since 2023, the main tool letting US companies legally receive personal data transferred out of the EU has been the EU-US Data Privacy Framework, and it depends partly on the Federal Trade Commission acting as an independent watchdog holding participating companies to their commitments.
On June 29, 2026, the US Supreme Court ruled in a case called Trump v. Slaughter that the president has more power to remove FTC commissioners than people previously assumed — which, as a side effect, undercuts the "independent" part of "independent watchdog." European privacy advocates, led by the group noyb, wrote to the European Commission the next day arguing that this breaks a legal requirement the whole framework depends on, and pushed for it to be wound down. The Commission has said it's assessing the ruling's impact; formally, the framework is still valid while that plays out, and any court fight over it is expected to take a while.
None of that makes it illegal for a European company to use a US-based cloud provider tomorrow morning. What it does is remove the comfortable assumption that "we rely on the Data Privacy Framework" is a stable, boring, settled sentence. For the third time this decade — after Safe Harbor and Privacy Shield were each struck down in turn — the primary legal bridge for EU-US data flows is back in open question.
Why we didn't build our architecture around that bridge in the first place
We host ExtMoney's infrastructure in Germany. For most of what the app does — your transactions, your accounts, your balances, your net worth — the data never crosses the Atlantic in the first place, which means the current legal uncertainty doesn't touch it at all. No adequacy decision, no Standard Contractual Clauses, no framework to watch nervously in the news. The data residency question just doesn't arise, because the data doesn't leave.
That's a deliberate difference from "GDPR-compliant," which is a claim about following rules wherever your servers happen to be. "EU-hosted" is a fact about where the servers are. The two get conflated constantly in fintech marketing, and this month is a good illustration of why the distinction isn't pedantic.
We don't need your data to make money, and that shapes everything upstream
A privacy architecture is easier to trust when the business model doesn't quietly depend on undermining it. We make money from subscriptions — not from advertising, not from selling access to your spending patterns, not from a "free" tier that pays for itself by watching what you buy. No ads, no tracking, no resale, full stop.
That's not just a values statement; it changes what gets built. A company that monetizes attention has a standing incentive to collect more than it needs and hold it longer than it should. A company that monetizes a subscription has the opposite incentive: collect what the feature actually requires, because there's no second business model waiting to make use of the rest. Underneath that, the security specifics are the boring, verifiable kind: TLS 1.3 in transit, AES-256 encryption on backups kept in a separate region, two-factor authentication, and no telemetry collecting usage data you didn't explicitly agree to.
Where we still have to cross the Atlantic, and how we handle it honestly
We're not going to pretend every byte stays in Europe, because it doesn't, and a privacy pitch that quietly implies otherwise isn't one we want to make. A couple of features genuinely benefit from large language models, and today, some of that processing happens through providers outside the EU.
Where that's true, three things hold. First, it's disclosed — named as a subprocessor, not buried in a footnote. Second, it's covered by Standard Contractual Clauses rather than resting solely on the Data Privacy Framework, which matters precisely because SCCs don't depend on the same independence question currently in doubt (though they carry their own, separate risk-assessment obligations that we don't pretend away either). Third, what actually gets sent is minimized hard before it leaves: names get replaced with per-build tokens before anything reaches an external model, and only get swapped back locally once the response comes home — so a breach or subpoena on the other end doesn't hand over your real identity attached to your financial life.
Consent isn't a checkbox you tick once. It's a record that outlives the moment you clicked
A privacy policy that says "we ask for consent" is a promise. A system that can produce, on demand, the exact version of the exact consent text a specific user agreed to, and the exact timestamp they agreed to it, is a receipt. We built ours as the second kind: every consent event — for voice processing, for receipt scanning, for AI-generated insights, for marketing — gets written to an append-only log, tied to the specific wording that was on screen at the time, because privacy language changes and "which version did they actually agree to" needs to be answerable months later, not reconstructed from memory.
The practical effect is that if you turn off AI insights, the feature doesn't quietly keep running in the background on a technicality. Anomaly detection stays fully statistical either way — that part never needed an AI feature flag to begin with — and declining the AI layer on top of it produces a visibly different, still fully functional experience, rather than degrading into "well, technically you still get some AI."
Practical recommendations (if you're evaluating any app's privacy claims, including ours)
- Ask "where does the data live," not "are you compliant." Compliance is a legal argument about rules; residency is a fact about servers. This month is a live demonstration of why that distinction matters.
- Ask how the company actually makes money. A subscription-funded product and an ad-funded "free" one have structurally different incentives around your data, regardless of what either privacy policy says.
- Ask what happens to your data when you say no. If declining AI features doesn't produce a visibly different, fully functional experience, "opt-in" isn't really opt-in.
- Ask for the subprocessor list, not just the privacy policy. A company that can name exactly who touches your data, and why, is making a different kind of claim than one that gestures at "trusted partners."
Where we'd push back on ourselves
- We are not lawyers, and nothing above is legal advice — including to our own users. If the current legal uncertainty resolves in an unexpected direction, our compliance posture will need to adapt like everyone else's, and we're not claiming immunity from that.
- Some processing still leaves the EU, and pretending otherwise would be worse than the current arrangement. The honest position is "minimized, disclosed, and on the more resilient legal basis available today" — not "never happens."
- An append-only consent log is only as good as what it's actually checked against. The architecture makes the receipt possible; it doesn't automatically make every downstream engineering decision correct, and that requires ongoing discipline, not just a good schema.
- We're just launching, so this is a description of what we built, not yet a track record under real regulatory scrutiny at scale.
We're building this in the open. If "EU-hosted by default, funded by subscriptions instead of your data, with a receipt for every consent" sounds like the bar personal finance apps should be held to, start for free at ExtMoney — and if you want the technical version of any of the above, ask, we'll go deeper.