Privacy Shield


The EU-US Privacy Shield (2016-2020) was a legal agreement between the European Union and the United States of America meant to regulate transatlantic data transfer and storage.

What was the EU-US Privacy Shield?

The purpose of the Privacy Shield was to protect EU citizens from having their data misused by US entities such as advertisers, intelligence agencies, and other organizations.

This agreement was the successor to the International Safe Harbor Privacy Principles, which had the same initial purposes but was declared invalid in 2015, due to inadequacy in reference to EU laws that were in place at the time (see Schrems I). After several adjustments and being transferred back and forth between the EU and US commission, the Privacy Shield came into effect on 12 July 2016.

How the Privacy Shield worked

When a user from the EU created an account on a website, they shareed personal data such as their name, date of birth, email address, and other information. Even accessing without creating an account could lead to the disclosure of private data such as IP, location, page browsing history, etc. The Privacy Shield was meant to protect against European user’s data, that ends up being processed in the USA, being stored without adequate security measures, being sold, stolen, or used without the user’s approval. In other words, US companies needed to handle this data according to EU standards, that are more restrictive than the ones in the US.

The Invalidation of the Privacy Shield

Following the Schrems II case, finalized in July 2020, the EU-US Privacy Shield was declared GDPR-inadequate for similar reasons as the Safe Harbor regulations previously had been. The Privacy Shield became invalid based on the idea that there aren’t sufficient means for protecting against US surveillance and access to data is much broader than necessary.

Many companies from the United States are currently affected by the invalidation of the Privacy Shield, including giants such as Google and Facebook, that were previously allowed to engage in data transfers between the EU and US. See the entire list of companies here:

Here is what you need to know about these changes, as a website owner: Privacy Shield Invalidation Consequences.

Keep in mind that there are different privacy policies for each region of the world and this article is strictly about the agreement between the United States and the European Union.