TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Privacy Shields: From EU-U.S. Privacy Shield to Today
Legal Compliance

Privacy Shields: From EU-U.S. Privacy Shield to Today

Learn what privacy shields are, why the EU-U.S. Privacy Shield was invalidated, and what frameworks replaced it for cross-border data transfers.

TermsBox Team|April 3, 202613 min read

Privacy shields refer to the legal frameworks and mechanisms that protect personal data when it crosses international borders, particularly from the European Union to the United States. The term gained widespread recognition through the EU-U.S. Privacy Shield, a data transfer agreement that governed how thousands of American companies handled European personal data until its invalidation in 2020.

Understanding the history and current state of privacy shields is essential for any website owner who uses U.S.-based services to process data from European visitors. This guide covers the original Privacy Shield, why it was struck down, what replaced it, and the practical steps you need to take. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

What Are Privacy Shields?

Privacy shields are legal mechanisms that ensure personal data remains protected when transferred from a jurisdiction with strong privacy laws to one with different or weaker protections. The concept addresses a fundamental tension in global commerce: personal data flows freely across the internet, but privacy laws do not.

The European Union has some of the strictest data protection requirements in the world through the General Data Protection Regulation (GDPR). Article 44 of the GDPR prohibits the transfer of personal data to a country outside the European Economic Area unless that country provides an "adequate level of protection" or an appropriate safeguard is in place. Privacy shields are one category of those safeguards.

The term is most closely associated with the EU-U.S. Privacy Shield, but the broader concept encompasses several mechanisms:

  • Adequacy decisions: The European Commission formally recognizes that a third country's data protection laws provide equivalent protection to the GDPR
  • Standard Contractual Clauses (SCCs): Pre-approved contract terms that impose GDPR-level obligations on the data recipient
  • Binding Corporate Rules (BCRs): Internal policies for multinational organizations, approved by supervisory authorities under Article 47 of the GDPR
  • International frameworks: Bilateral or multilateral agreements between governments establishing data protection standards

For website owners, privacy shields matter because the third-party services powering your site, including analytics, email marketing, cloud hosting, and payment processing, frequently transfer personal data across borders. The legal basis for those transfers directly affects your compliance obligations.

The History of EU-U.S. Privacy Shields

The story of privacy shields between the EU and the United States is a story of repeated attempts to bridge fundamentally different approaches to data protection. The EU treats privacy as a fundamental right. The United States takes a sectoral approach with no single comprehensive federal privacy law, and U.S. intelligence agencies operate under broad surveillance authorities.

Safe Harbor (2000 to 2015)

The first formal framework was the U.S.-EU Safe Harbor agreement, adopted in July 2000. Safe Harbor allowed U.S. companies to self-certify that they met seven privacy principles, broadly similar to EU data protection requirements. The program was administered by the U.S. Department of Commerce, and over 4,000 companies participated.

Safe Harbor collapsed on October 6, 2015, when the Court of Justice of the European Union (CJEU) ruled in the Schrems I case (Case C-362/14) that the framework was invalid. Austrian privacy activist Max Schrems had challenged Facebook's data transfers, arguing that U.S. government surveillance programs, revealed by Edward Snowden in 2013, meant that Safe Harbor did not provide adequate protection. The court agreed.

Privacy Shield (2016 to 2020)

Negotiations for a replacement began immediately after the Schrems I ruling. The EU-U.S. Privacy Shield was adopted on July 12, 2016, with enhanced protections designed to address the court's concerns. The Privacy Shield included:

  • Stronger obligations for participating companies
  • Clearer limitations on U.S. government access to data
  • An ombudsperson mechanism for EU individuals to raise complaints about intelligence access
  • Annual joint review by the European Commission and U.S. Department of Commerce

At its peak, more than 5,300 U.S. organizations were certified under the Privacy Shield. Major technology companies, cloud providers, and SaaS platforms relied on it as their primary legal basis for processing EU personal data.

The Schrems II ruling

On July 16, 2020, the CJEU struck down the Privacy Shield in the Schrems II ruling (Case C-311/18). Max Schrems had again challenged Facebook's data transfers, this time targeting both the Privacy Shield and Standard Contractual Clauses.

The court found that U.S. surveillance laws, specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, gave U.S. intelligence agencies access to personal data transferred from the EU without limitations that were "essentially equivalent" to those required under EU law. Critically, the court also found that the Privacy Shield's ombudsperson mechanism did not provide effective judicial redress for EU individuals.

The ruling left thousands of companies without a legal basis for transatlantic data transfers overnight. While the court upheld Standard Contractual Clauses in principle, it required data exporters to conduct case-by-case assessments of whether the laws of the destination country undermined the protections in the clauses.

The EU-U.S. Data Privacy Framework: The New Privacy Shield

After two years of negotiations, the United States and European Union developed a successor framework to address the Schrems II concerns. The EU-U.S. Data Privacy Framework (DPF) became the new privacy shield through a series of steps.

Executive Order 14086

On October 7, 2022, President Biden signed Executive Order 14086, titled "Enhancing Safeguards for United States Signals Intelligence Activities." This order introduced two key changes:

  1. Proportionality and necessity requirements: U.S. signals intelligence activities must be conducted only to the extent that is proportionate and necessary to advance validated intelligence priorities. The order explicitly lists 12 legitimate objectives and prohibits surveillance for purposes such as suppressing dissent or gaining commercial advantage.
  2. Data Protection Review Court (DPRC): A new independent body composed of judges from outside the U.S. government who review complaints from EU individuals about unlawful access to their data by U.S. intelligence agencies. Unlike the Privacy Shield's ombudsperson, the DPRC has binding authority.

Adequacy decision

On July 10, 2023, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework under Article 45 of the GDPR. This decision established that the United States provides an adequate level of protection for personal data transferred to certified U.S. organizations.

Self-certification

U.S. organizations join the DPF by self-certifying with the U.S. Department of Commerce that they comply with the framework's principles. These principles mirror those from the original Privacy Shield: notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse. Certified organizations appear on the Data Privacy Framework List maintained by the Department of Commerce.

How Privacy Shields Affect Your Website

Even if your company is not directly certified under a privacy shield framework, these mechanisms affect your website in several concrete ways.

Third-party service providers

Most websites rely on services from U.S. companies. Google Analytics, Cloudflare, AWS, Stripe, Mailchimp, Intercom, and hundreds of other tools process personal data from your visitors on servers located in the United States. Each of these providers needs a legal basis for receiving that data.

Check whether your key service providers are certified under the EU-U.S. Data Privacy Framework. You can verify certification on the Data Privacy Framework List at dataprivacyframework.gov. If a provider is not certified, verify whether they offer Standard Contractual Clauses as an alternative transfer mechanism.

Privacy policy requirements

Article 13(1)(f) of the GDPR requires your privacy policy to inform users about international data transfers, including the transfer mechanisms you rely on. If your policy still references the EU-U.S. Privacy Shield, it is outdated and must be updated.

Your privacy policy should:

  • Identify which countries personal data is transferred to
  • Name the legal mechanism for each transfer (adequacy decision, SCCs, DPF certification)
  • Explain how users can obtain a copy of the safeguards
  • Provide links to relevant certification lists or SCC documentation

A privacy policy generator can help you create a policy that addresses these transfer disclosure requirements, but you should verify the specific details with your legal counsel.

Cookie consent and tracking

Many tracking technologies used on websites, including analytics scripts, advertising pixels, and social media widgets, transfer personal data to servers outside the EEA. Your cookie consent mechanism must obtain valid consent before loading these scripts, and your cookie policy generator output should explain the international transfers that occur when users accept each category of cookies.

Risks and Uncertainties Around Privacy Shields

The EU-U.S. Data Privacy Framework addressed the specific concerns raised in the Schrems II ruling, but uncertainty remains about its long-term stability.

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.

Generate Now

Legal challenges

The organization NOYB (None of Your Business), founded by Max Schrems, filed a challenge to the Data Privacy Framework's adequacy decision with the CJEU in 2023. The challenge argues that Executive Order 14086 does not adequately address the court's concerns from Schrems II, particularly regarding the independence of the DPRC and whether U.S. surveillance has been sufficiently limited to meet EU proportionality standards.

The CJEU has not yet ruled on this challenge. If the court invalidates the DPF as it did with Safe Harbor and Privacy Shield, the cycle would repeat, and organizations would again lose a primary legal basis for transatlantic data transfers.

Political risk

The Data Privacy Framework relies partly on Executive Order 14086, which a future U.S. president could modify or revoke. While the framework also has a legislative foundation through existing U.S. privacy and consumer protection laws enforced by the FTC, the executive order provisions are central to addressing the Schrems II concerns.

Practical measures to reduce risk

Given these uncertainties, prudent website owners should not rely exclusively on a single privacy shield mechanism:

  • Layer transfer mechanisms: Use Standard Contractual Clauses alongside DPF certification where possible
  • Conduct transfer impact assessments: Document your analysis of the laws in the destination country and the supplementary measures you apply
  • Minimize data transfers: Where feasible, use services that offer EU-based data processing to reduce reliance on transatlantic transfers entirely
  • Monitor developments: Track the CJEU challenge and any changes to U.S. executive orders or surveillance laws
  • Keep your privacy policy current: Update transfer disclosures promptly when the legal landscape changes

Alternative Transfer Mechanisms Beyond Privacy Shields

Privacy shields are not the only option for lawful international data transfers. Several alternatives exist, and understanding them helps you build a resilient compliance strategy.

Standard Contractual Clauses

The European Commission adopted modernized SCCs on June 4, 2021 (Commission Implementing Decision 2021/914). These clauses come in four modules covering different transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.

SCCs are the most widely used transfer mechanism globally. Unlike privacy shield frameworks, they do not depend on government-to-government agreements. However, the Schrems II ruling requires data exporters to assess whether the laws of the destination country undermine the protections in the clauses and to implement supplementary measures if needed.

Binding Corporate Rules

BCRs are internal data protection policies approved by an EU supervisory authority under Article 47 of the GDPR. They are primarily used by multinational corporations to transfer personal data within their corporate group. The approval process is lengthy and resource-intensive, making BCRs impractical for most small and mid-sized businesses.

Derogations under Article 49

In the absence of an adequacy decision or appropriate safeguards, Article 49 of the GDPR permits transfers based on specific derogations:

  • Explicit consent of the data subject, after being informed of the risks
  • Necessity for the performance of a contract between the data subject and the controller
  • Important reasons of public interest recognized in EU or member state law
  • Establishment, exercise, or defense of legal claims

These derogations are intended for occasional, non-systematic transfers. They are not a viable basis for routine, large-scale data transfers such as those involved in cloud hosting or analytics.

Practical Steps for Website Compliance

To address privacy shield requirements and international data transfer obligations for your website, follow these steps.

Audit your data flows

Map every third-party service your website uses that processes personal data. For each service, document:

  • What personal data is transferred
  • Where the data is processed (which countries)
  • The legal basis for the transfer (DPF, SCCs, adequacy decision)
  • Whether the provider offers EU-based processing options

TermsBox offers a website compliance scanner that can identify cookies, trackers, and third-party scripts on your site, which helps map the services that may transfer data internationally.

Update your legal documents

Your privacy policy generator output should include a section on international data transfers that names the specific mechanisms you rely on. Remove any references to the invalidated EU-U.S. Privacy Shield. If your site uses cookies from U.S.-based providers, your cookie policy should explain the transfers that occur.

Implement proper consent

For tracking technologies that transfer data internationally, obtain valid consent before loading the scripts. Pre-ticked boxes, bundled consent, and cookie walls that block access unless users accept all cookies do not constitute valid consent under the GDPR. Your consent mechanism should offer granular choices and make it as easy to reject as to accept.

Establish a monitoring process

The legal framework for international data transfers has changed three times in the last decade (Safe Harbor, Privacy Shield, Data Privacy Framework). Build a process for monitoring developments and updating your compliance measures:

  • Subscribe to updates from your national data protection authority
  • Track the CJEU challenge to the Data Privacy Framework
  • Review your third-party providers' transfer mechanisms annually
  • Update privacy policies and consent mechanisms when the legal basis changes

Frequently Asked Questions

What was the EU-U.S. Privacy Shield?

The EU-U.S. Privacy Shield was a data transfer framework that allowed certified U.S. companies to receive personal data from the European Union. It was adopted in July 2016 as a replacement for the Safe Harbor agreement. Over 5,300 U.S. organizations were certified under Privacy Shield before the Court of Justice of the European Union invalidated it in July 2020 through the Schrems II ruling (Case C-311/18).

Why was the Privacy Shield invalidated?

The Court of Justice of the European Union invalidated the Privacy Shield in July 2020 because U.S. surveillance laws, particularly Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, allowed U.S. intelligence agencies to access personal data transferred from the EU without adequate safeguards or effective judicial redress for EU individuals. The court found that these surveillance powers were not limited to what was strictly necessary and proportionate.

What replaced the Privacy Shield?

The EU-U.S. Data Privacy Framework (DPF) replaced the Privacy Shield. The European Commission adopted an adequacy decision for the DPF on July 10, 2023. The framework is supported by Executive Order 14086, signed in October 2022, which introduced new safeguards for U.S. signals intelligence activities and established the Data Protection Review Court for EU individuals to challenge unlawful data access.

Do I need to update my privacy policy after the Privacy Shield changes?

Yes. If your privacy policy still references the EU-U.S. Privacy Shield as a data transfer mechanism, you must update it. Article 13(1)(f) of the GDPR requires you to inform users about the safeguards applied to international data transfers. Your policy should reference the current mechanisms you rely on, such as the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or both.

Related Tools

Privacy Policy Generator

Create a comprehensive privacy policy for your website or app

Related Articles

Legal Compliance

AI and Data Privacy: A Practical Guide for Businesses

Learn how AI and data privacy intersect, including legal obligations, compliance strategies, and steps to protect personal data in AI systems.

April 4, 202613 min read
Legal Compliance

AI GDPR Compliance: A Practical Guide for Businesses

Learn how AI GDPR rules affect your business, including legal obligations, compliance steps, and penalties for AI systems processing personal data.

April 4, 202614 min read
Legal Compliance

Apple's Data & Privacy Website: How to Use privacy.apple.com

Apple's data & privacy website at privacy.apple.com lets you download, correct, or delete your data. A step-by-step guide, plus how long a request takes.

April 4, 202613 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What Are Privacy Shields?
  • The History of EU-U.S. Privacy Shields
  • Safe Harbor (2000 to 2015)
  • Privacy Shield (2016 to 2020)
  • The Schrems II ruling
  • The EU-U.S. Data Privacy Framework: The New Privacy Shield
  • Executive Order 14086
  • Adequacy decision
  • Self-certification
  • How Privacy Shields Affect Your Website
  • Third-party service providers
  • Privacy policy requirements
  • Cookie consent and tracking
  • Risks and Uncertainties Around Privacy Shields
  • Legal challenges
  • Political risk
  • Practical measures to reduce risk
  • Alternative Transfer Mechanisms Beyond Privacy Shields
  • Standard Contractual Clauses
  • Binding Corporate Rules
  • Derogations under Article 49
  • Practical Steps for Website Compliance
  • Audit your data flows
  • Update your legal documents
  • Implement proper consent
  • Establish a monitoring process
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.