What is Privacy Shield?

The EU-US Privacy Shield was a legal framework established in 2016 to enable the transfer of personal data from the European Union to certified organizations in the United States. It replaced the earlier Safe Harbor framework, which was invalidated by the Court of Justice of the European Union (CJEU) in the Schrems I decision. The Privacy Shield required participating US organizations to self-certify their adherence to a set of privacy principles and submit to enforcement by the Federal Trade Commission or Department of Transportation.

In July 2020, the CJEU invalidated the Privacy Shield in the Schrems II decision (Case C-311/18), finding that US surveillance practices did not provide adequate protection for EU personal data and that the framework lacked sufficient redress mechanisms for EU data subjects. This ruling created significant uncertainty for organizations transferring personal data from the EU to the US, pushing many to rely on Standard Contractual Clauses supplemented by additional safeguards.

In July 2023, the European Commission adopted an adequacy decision for the EU-US Data Privacy Framework (DPF), which was established through a US Executive Order addressing the concerns raised in Schrems II. The DPF introduced new safeguards including limits on US intelligence access to EU data and a new Data Protection Review Court for EU individuals. Organizations involved in transatlantic data transfers should track these developments through ComplyIQ to ensure their transfer mechanisms remain valid.