Privacy Shields: From EU-U.S. Privacy Shield to Today
Learn what privacy shields are, why the EU-U.S. Privacy Shield was invalidated, and what frameworks replaced it for cross-border data transfers.
Privacy shields refer to the legal frameworks and mechanisms that protect personal data when it crosses international borders, particularly from the European Union to the United States. The term gained widespread recognition through the EU-U.S. Privacy Shield, a data transfer agreement that governed how thousands of American companies handled European personal data until its invalidation in 2020.
Understanding the history and current state of privacy shields is essential for any website owner who uses U.S.-based services to process data from European visitors. This guide covers the original Privacy Shield, why it was struck down, what replaced it, and the practical steps you need to take. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.
What Are Privacy Shields?
Privacy shields are legal mechanisms that ensure personal data remains protected when transferred from a jurisdiction with strong privacy laws to one with different or weaker protections. The concept addresses a fundamental tension in global commerce: personal data flows freely across the internet, but privacy laws do not.
The European Union has some of the strictest data protection requirements in the world through the General Data Protection Regulation (GDPR). Article 44 of the GDPR prohibits the transfer of personal data to a country outside the European Economic Area unless that country provides an "adequate level of protection" or an appropriate safeguard is in place. Privacy shields are one category of those safeguards.
The term is most closely associated with the EU-U.S. Privacy Shield, but the broader concept encompasses several mechanisms:
- Adequacy decisions: The European Commission formally recognizes that a third country's data protection laws provide equivalent protection to the GDPR
- Standard Contractual Clauses (SCCs): Pre-approved contract terms that impose GDPR-level obligations on the data recipient
- Binding Corporate Rules (BCRs): Internal policies for multinational organizations, approved by supervisory authorities under Article 47 of the GDPR
- International frameworks: Bilateral or multilateral agreements between governments establishing data protection standards
For website owners, privacy shields matter because the third-party services powering your site, including analytics, email marketing, cloud hosting, and payment processing, frequently transfer personal data across borders. The legal basis for those transfers directly affects your compliance obligations.
The History of EU-U.S. Privacy Shields
The story of privacy shields between the EU and the United States is a story of repeated attempts to bridge fundamentally different approaches to data protection. The EU treats privacy as a fundamental right. The United States takes a sectoral approach with no single comprehensive federal privacy law, and U.S. intelligence agencies operate under broad surveillance authorities.
Safe Harbor (2000 to 2015)
The first formal framework was the U.S.-EU Safe Harbor agreement, adopted in July 2000. Safe Harbor allowed U.S. companies to self-certify that they met seven privacy principles, broadly similar to EU data protection requirements. The program was administered by the U.S. Department of Commerce, and over 4,000 companies participated.
Safe Harbor collapsed on October 6, 2015, when the Court of Justice of the European Union (CJEU) ruled in the Schrems I case (Case C-362/14) that the framework was invalid. Austrian privacy activist Max Schrems had challenged Facebook's data transfers, arguing that U.S. government surveillance programs, revealed by Edward Snowden in 2013, meant that Safe Harbor did not provide adequate protection. The court agreed.
Privacy Shield (2016 to 2020)
Negotiations for a replacement began immediately after the Schrems I ruling. The EU-U.S. Privacy Shield was adopted on July 12, 2016, with enhanced protections designed to address the court's concerns. The Privacy Shield included:
- Stronger obligations for participating companies
- Clearer limitations on U.S. government access to data
- An ombudsperson mechanism for EU individuals to raise complaints about intelligence access
- Annual joint review by the European Commission and U.S. Department of Commerce
At its peak, more than 5,300 U.S. organizations were certified under the Privacy Shield. Major technology companies, cloud providers, and SaaS platforms relied on it as their primary legal basis for processing EU personal data.
The Schrems II ruling
On July 16, 2020, the CJEU struck down the Privacy Shield in the Schrems II ruling (Case C-311/18). Max Schrems had again challenged Facebook's data transfers, this time targeting both the Privacy Shield and Standard Contractual Clauses.
The court found that U.S. surveillance laws, specifically Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333, gave U.S. intelligence agencies access to personal data transferred from the EU without limitations that were "essentially equivalent" to those required under EU law. Critically, the court also found that the Privacy Shield's ombudsperson mechanism did not provide effective judicial redress for EU individuals.
The ruling left thousands of companies without a legal basis for transatlantic data transfers overnight. While the court upheld Standard Contractual Clauses in principle, it required data exporters to conduct case-by-case assessments of whether the laws of the destination country undermined the protections in the clauses.
The EU-U.S. Data Privacy Framework: The New Privacy Shield
After two years of negotiations, the United States and European Union developed a successor framework to address the Schrems II concerns. The EU-U.S. Data Privacy Framework (DPF) became the new privacy shield through a series of steps.
Executive Order 14086
On October 7, 2022, President Biden signed Executive Order 14086, titled "Enhancing Safeguards for United States Signals Intelligence Activities." This order introduced two key changes:
- Proportionality and necessity requirements: U.S. signals intelligence activities must be conducted only to the extent that is proportionate and necessary to advance validated intelligence priorities. The order explicitly lists 12 legitimate objectives and prohibits surveillance for purposes such as suppressing dissent or gaining commercial advantage.
- Data Protection Review Court (DPRC): A new independent body composed of judges from outside the U.S. government who review complaints from EU individuals about unlawful access to their data by U.S. intelligence agencies. Unlike the Privacy Shield's ombudsperson, the DPRC has binding authority.
Adequacy decision
On July 10, 2023, the European Commission adopted an adequacy decision for the EU-U.S. Data Privacy Framework under Article 45 of the GDPR. This decision established that the United States provides an adequate level of protection for personal data transferred to certified U.S. organizations.
Self-certification
U.S. organizations join the DPF by self-certifying with the U.S. Department of Commerce that they comply with the framework's principles. These principles mirror those from the original Privacy Shield: notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse. Certified organizations appear on the Data Privacy Framework List maintained by the Department of Commerce.
How Privacy Shields Affect Your Website
Even if your company is not directly certified under a privacy shield framework, these mechanisms affect your website in several concrete ways.
Third-party service providers
Most websites rely on services from U.S. companies. Google Analytics, Cloudflare, AWS, Stripe, Mailchimp, Intercom, and hundreds of other tools process personal data from your visitors on servers located in the United States. Each of these providers needs a legal basis for receiving that data.
Check whether your key service providers are certified under the EU-U.S. Data Privacy Framework. You can verify certification on the Data Privacy Framework List at dataprivacyframework.gov. If a provider is not certified, verify whether they offer Standard Contractual Clauses as an alternative transfer mechanism.
Privacy policy requirements
Article 13(1)(f) of the GDPR requires your privacy policy to inform users about international data transfers, including the transfer mechanisms you rely on. If your policy still references the EU-U.S. Privacy Shield, it is outdated and must be updated.
Your privacy policy should:
- Identify which countries personal data is transferred to
- Name the legal mechanism for each transfer (adequacy decision, SCCs, DPF certification)
- Explain how users can obtain a copy of the safeguards
- Provide links to relevant certification lists or SCC documentation
A privacy policy generator can help you create a policy that addresses these transfer disclosure requirements, but you should verify the specific details with your legal counsel.
Cookie consent and tracking
Many tracking technologies used on websites, including analytics scripts, advertising pixels, and social media widgets, transfer personal data to servers outside the EEA. Your cookie consent mechanism must obtain valid consent before loading these scripts, and your cookie policy generator output should explain the international transfers that occur when users accept each category of cookies.
Risks and Uncertainties Around Privacy Shields
The EU-U.S. Data Privacy Framework addressed the specific concerns raised in the Schrems II ruling, but uncertainty remains about its long-term stability.
Privacy Policy Generator
Create a comprehensive privacy policy for your website or app. Create yours in minutes with TermsBox.
Generate NowLegal challenges
The organization NOYB (None of Your Business), founded by Max Schrems, filed a challenge to the Data Privacy Framework's adequacy decision with the CJEU in 2023. The challenge argues that Executive Order 14086 does not adequately address the court's concerns from Schrems II, particularly regarding the independence of the DPRC and whether U.S. surveillance has been sufficiently limited to meet EU proportionality standards.
The CJEU has not yet ruled on this challenge. If the court invalidates the DPF as it did with Safe Harbor and Privacy Shield, the cycle would repeat, and organizations would again lose a primary legal basis for transatlantic data transfers.
Political risk
The Data Privacy Framework relies partly on Executive Order 14086, which a future U.S. president could modify or revoke. While the framework also has a legislative foundation through existing U.S. privacy and consumer protection laws enforced by the FTC, the executive order provisions are central to addressing the Schrems II concerns.
Practical measures to reduce risk
Given these uncertainties, prudent website owners should not rely exclusively on a single privacy shield mechanism:
- Layer transfer mechanisms: Use Standard Contractual Clauses alongside DPF certification where possible
- Conduct transfer impact assessments: Document your analysis of the laws in the destination country and the supplementary measures you apply
- Minimize data transfers: Where feasible, use services that offer EU-based data processing to reduce reliance on transatlantic transfers entirely
- Monitor developments: Track the CJEU challenge and any changes to U.S. executive orders or surveillance laws
- Keep your privacy policy current: Update transfer disclosures promptly when the legal landscape changes
Alternative Transfer Mechanisms Beyond Privacy Shields
Privacy shields are not the only option for lawful international data transfers. Several alternatives exist, and understanding them helps you build a resilient compliance strategy.
Standard Contractual Clauses
The European Commission adopted modernized SCCs on June 4, 2021 (Commission Implementing Decision 2021/914). These clauses come in four modules covering different transfer scenarios: controller-to-controller, controller-to-processor, processor-to-processor, and processor-to-controller.
SCCs are the most widely used transfer mechanism globally. Unlike privacy shield frameworks, they do not depend on government-to-government agreements. However, the Schrems II ruling requires data exporters to assess whether the laws of the destination country undermine the protections in the clauses and to implement supplementary measures if needed.
Binding Corporate Rules
BCRs are internal data protection policies approved by an EU supervisory authority under Article 47 of the GDPR. They are primarily used by multinational corporations to transfer personal data within their corporate group. The approval process is lengthy and resource-intensive, making BCRs impractical for most small and mid-sized businesses.
Derogations under Article 49
In the absence of an adequacy decision or appropriate safeguards, Article 49 of the GDPR permits transfers based on specific derogations:
- Explicit consent of the data subject, after being informed of the risks
- Necessity for the performance of a contract between the data subject and the controller
- Important reasons of public interest recognized in EU or member state law
- Establishment, exercise, or defense of legal claims
These derogations are intended for occasional, non-systematic transfers. They are not a viable basis for routine, large-scale data transfers such as those involved in cloud hosting or analytics.
Practical Steps for Website Compliance
To address privacy shield requirements and international data transfer obligations for your website, follow these steps.
Audit your data flows
Map every third-party service your website uses that processes personal data. For each service, document:
- What personal data is transferred
- Where the data is processed (which countries)
- The legal basis for the transfer (DPF, SCCs, adequacy decision)
- Whether the provider offers EU-based processing options
TermsBox offers a website compliance scanner that can identify cookies, trackers, and third-party scripts on your site, which helps map the services that may transfer data internationally.
Update your legal documents
Your privacy policy generator output should include a section on international data transfers that names the specific mechanisms you rely on. Remove any references to the invalidated EU-U.S. Privacy Shield. If your site uses cookies from U.S.-based providers, your cookie policy should explain the transfers that occur.
Implement proper consent
For tracking technologies that transfer data internationally, obtain valid consent before loading the scripts. Pre-ticked boxes, bundled consent, and cookie walls that block access unless users accept all cookies do not constitute valid consent under the GDPR. Your consent mechanism should offer granular choices and make it as easy to reject as to accept.
Establish a monitoring process
The legal framework for international data transfers has changed three times in the last decade (Safe Harbor, Privacy Shield, Data Privacy Framework). Build a process for monitoring developments and updating your compliance measures:
- Subscribe to updates from your national data protection authority
- Track the CJEU challenge to the Data Privacy Framework
- Review your third-party providers' transfer mechanisms annually
- Update privacy policies and consent mechanisms when the legal basis changes
Frequently Asked Questions
What was the EU-U.S. Privacy Shield?
The EU-U.S. Privacy Shield was a data transfer framework that allowed certified U.S. companies to receive personal data from the European Union. It was adopted in July 2016 as a replacement for the Safe Harbor agreement. Over 5,300 U.S. organizations were certified under Privacy Shield before the Court of Justice of the European Union invalidated it in July 2020 through the Schrems II ruling (Case C-311/18).
Why was the Privacy Shield invalidated?
The Court of Justice of the European Union invalidated the Privacy Shield in July 2020 because U.S. surveillance laws, particularly Section 702 of the Foreign Intelligence Surveillance Act and Executive Order 12333, allowed U.S. intelligence agencies to access personal data transferred from the EU without adequate safeguards or effective judicial redress for EU individuals. The court found that these surveillance powers were not limited to what was strictly necessary and proportionate.
What replaced the Privacy Shield?
The EU-U.S. Data Privacy Framework (DPF) replaced the Privacy Shield. The European Commission adopted an adequacy decision for the DPF on July 10, 2023. The framework is supported by Executive Order 14086, signed in October 2022, which introduced new safeguards for U.S. signals intelligence activities and established the Data Protection Review Court for EU individuals to challenge unlawful data access.
Do I need to update my privacy policy after the Privacy Shield changes?
Yes. If your privacy policy still references the EU-U.S. Privacy Shield as a data transfer mechanism, you must update it. Article 13(1)(f) of the GDPR requires you to inform users about the safeguards applied to international data transfers. Your policy should reference the current mechanisms you rely on, such as the EU-U.S. Data Privacy Framework, Standard Contractual Clauses, or both.