The EU US Privacy Shield (2016-2020) was a legal agreement between the European Union and the United States of America meant to regulate transatlantic data transfer and storage.
What is the EU-US Privacy Shield?
The Privacy Shield’s purpose was to protect the EU citizens from having their data misused by US entities such as advertisers, intelligence agencies, and other organizations.
This agreement is the successor of the International Safe Harbor Privacy Principles which had the same initial purposes but was declared invalid in 2015, due to the inadequacy in reference to the EU laws that were in place at the time (see Schrems I). After several adjustments and moving back and forth between the EU and US commission, the Privacy Shield came into effect on 12 July 2016.
How the Privacy Shield Works
When a user from the EU creates an account on a website, she/he shares personal data such as the name, date of birth, email address, and other information. Even accessing without creating an account can lead to the disclosure of private data such as the IP, location, page browsing history etc. The Privacy Shield was meant to protect against European user’s data, that ends up being processed in the USA, being stored without adequate security measures, being sold, stolen, or used without the user’s approval. In other words, US companies needed to handle this data according to EU standards, that are more restrictive than the ones in the US.
The Privacy Shield Invalidation
Following the Schrems II case, finalized in July 2020, the EU US Privacy Shield was declared GDPR-inadequate for similar reasons as the Safe Harbor regulations previously had been. The Privacy Shield became invalid based on the idea that there aren’t sufficient means for protecting against US surveillance and the access to data is much broader than necessary.
Many companies from the United States are currently affected by the Privacy Shield invalidation, including giants such as Google and Facebook, that were previously allowed to engage in data transfers between the EU and US. See the entire list of companies here: https://www.privacyshield.gov/list.
Here is what you need to know about these changes, as a website owner: Privacy Shield Invalidation Consequences.
Keep in mind that there are different privacy policies for each region of the World and this article is strictly about the agreement between the United States and the European Union.