Privacy Shield was a data protection agreement meant to secure the transfer of personal data from the EU and Switzerland to the US.

Privacy Shield was set to replace Safe Harbor, invalidated by the Court of Justice of the European Union (CJEU) in October 2015. The updated agreement was intended to protect European residents’ rights effectively, ensure an appropriate security level for processing personal data, and enable seamless data and market exchange between the EU and the US.

However, on July 16, 2020, the CJEU invalidated the Privacy Shield in a decision known as the Schrems II ruling. The court stated that sending personal data from the EU to the US is unlawful if companies can’t guarantee it will be kept from US intelligence. As a result, Privacy Shield is no longer a valid legal basis for EU-US data transfers. Following the ruling, applicable organizations have transferred EU personal data to the US using standard contractual clauses (SCCs).

In March 2022, the new EU-US Data Privacy Framework (DPF), also known as Privacy Shield 2.0, was agreed upon in principle by EU and US leaders. In October, the President of the United States signed an executive order to begin work on the new framework. On December 13, 2022, the European Commission initiated the formal process for adopting an adequacy decision on the DPF. However, there are already concerns being raised that Privacy Shield 2.0 may not satisfy European regulators.

Check out our blog posts on Privacy Shield:

• Privacy Shield 2.0: What it is and how it will affect your business
• The invalidation of Privacy Shield and the status of EU-US data transfers
• The Story Behind Safe Harbor and Privacy Shield
• Is Google Analytics illegal in the EU?