Privacy Shield


      The Privacy Shield was an international agreement between the EU and the US with requirements to ensure an adequate level of protection of personal data exported to the US.

      The Privacy Shield was invalidated by the European Court of Justice on 16 July 2020 in its ruling in the Schrems II case.

      The Privacy Shield replaced its predecessor Safe Harbour when it was declared invalid in the first Schrems-judgement on 6 October 2015. Privacy Shield had additional measures than Safe Harbour. These were meant to ensure the privacy of Europeans whose personal data is transferred to the US. One of those measures is a US Ombudsperson, to whom Europeans can file complaints. These measures were, however, not binding for the intelligence agencies.

      The purpose of Privacy Shield was to enable organisations to transfer personal data to the US in a smooth way. The Privacy Shield was a self-certification scheme were organisations could declare themselves to follow the requirements in the agreement. Without it, they would have to rely on other measures that were more burdensome. It enabled the European Commission to declare that the US had appropriate safeguards for data transfer. Such a decision can be made according to article 45 of the GDPR. This possibility is important because a lot of companies need simple ways to transfer data. This is true both for US and EU companies.

      Note that the Privacy Shield still exists between the EU and Switzerland.