Glossary · EU-US Data Transfer Privacy Shield
The 2016 EU-US data transfer framework invalidated by the Court of Justice of the EU in 2020 (Schrems II ruling). Replaced in 2023 by the EU-US Data Privacy Framework.
## What Privacy Shield was
The EU-US Privacy Shield was a framework adopted in 2016 to allow legal transfer of personal data from the EU to US-based companies. It replaced the earlier Safe Harbor framework, which had been invalidated in 2015 by the original Schrems I ruling.
Privacy Shield worked through self-certification: US companies could certify that they would handle EU data according to principles broadly equivalent to GDPR. Approximately 5,000+ US companies self-certified under Privacy Shield, making it the primary mechanism for transatlantic data transfers from 2016 to 2020.
## Why Privacy Shield was invalidated
In July 2020, the Court of Justice of the EU issued the Schrems II ruling (Case C-311/18), invalidating Privacy Shield. The court found two fundamental problems:
**1. US surveillance laws.** US intelligence agencies (under FISA Section 702 and Executive Order 12333) can conduct bulk surveillance of foreign nationals' communications without judicial oversight equivalent to EU standards. Privacy Shield's self-certification couldn't compensate for this structural surveillance authority.
**2. Inadequate redress.** EU citizens whose data was subject to US surveillance had no effective remedy comparable to what GDPR requires. The Privacy Shield Ombudsperson mechanism was deemed insufficient.
The court concluded US legal protections fell below the "essentially equivalent" standard GDPR requires for international data transfers. Privacy Shield was struck down with immediate effect.
## The post-Privacy-Shield gap (2020-2023)
For three years after Schrems II, transatlantic data transfers existed in legal uncertainty:
**Standard Contractual Clauses (SCCs)** remained valid but with new requirements — data exporters had to conduct Transfer Impact Assessments (TIAs) considering US surveillance laws, adding meaningful compliance overhead.
**Binding Corporate Rules (BCRs)** for intra-group transfers continued to work but required regulatory approval.
**Derogations** (Article 49 GDPR) allowed limited transfers in specific circumstances but couldn't sustain regular business data flows.
For most European businesses using US-based SaaS, the practical compliance approach was:
1. Implement updated SCCs
2. Conduct TIAs documenting awareness of US surveillance risks
3. Implement supplementary measures (encryption, data minimization)
4. Hope enforcement remained measured
This was operationally workable but legally precarious.
## The EU-US Data Privacy Framework (2023 onwards)
In July 2023, the European Commission adopted the EU-US Data Privacy Framework (DPF) — Privacy Shield's successor. The DPF replaces Privacy Shield with strengthened protections:
**Key DPF improvements over Privacy Shield:**
1. **Data Protection Review Court** — new judicial body providing oversight of US intelligence access to EU data
2. **Stricter limitations on bulk data collection** — proportionality and necessity requirements
3. **Enhanced redress mechanisms** for EU citizens
4. **Specific commitments from US intelligence community** on access limitations
US companies can self-certify under DPF (similar to Privacy Shield's self-certification model). As of 2026, thousands of US companies are DPF-certified.
## The DPF's legal vulnerability
Privacy advocates including Max Schrems (whose lawsuits invalidated both Safe Harbor and Privacy Shield) have already challenged the DPF.
NOYB (None Of Your Business — Schrems's organization) argues:
- The DPF's reforms still don't meet GDPR's "essentially equivalent" standard
- The Data Protection Review Court isn't truly independent
- US surveillance authority remains substantively similar to pre-DPF
- Bulk collection limitations are insufficient
A "Schrems III" CJEU ruling invalidating the DPF is plausible. Timeline: ruling could come in 2026-2027.
If the DPF is invalidated, transatlantic transfers return to the SCCs + TIAs framework — operationally workable but uncertain.
## What this means for European businesses
For European businesses considering US providers in 2026:
**1. The DPF currently provides a legal basis** for transatlantic transfers to DPF-certified US companies. Use it where appropriate.
**2. Don't depend solely on the DPF** — its legal vulnerability means architectural decisions should consider what happens if it's invalidated.
**3. Consider EU-resident processing for sensitive data** — the strongest legal posture is avoiding the transatlantic transfer entirely. EU-headquartered providers (Hetzner, Scaleway, OVHcloud, Infomaniak) sidestep the issue.
**4. Maintain SCC fallbacks** — even with DPF, having SCCs in place provides legal redundancy if DPF is invalidated.
**5. Document Transfer Impact Assessments** — even DPF-based transfers benefit from TIA documentation showing awareness of US surveillance risks.
## The broader pattern
Privacy Shield's invalidation, the post-Schrems-II gap, and the DPF's vulnerability illustrate a structural issue: **transatlantic data transfer frameworks are politically fragile**.
The EU-US relationship on data protection has cycled through:
- **2000-2015**: Safe Harbor (15 years before invalidation)
- **2016-2020**: Privacy Shield (4 years before invalidation)
- **2023-?**: Data Privacy Framework (uncertain duration)
Each framework lasts shorter than its predecessor. The fundamental tension — US national security law versus EU privacy law — hasn't been resolved by any of these frameworks. They've been negotiated workarounds, not actual reconciliation.
For European businesses planning multi-year strategy, treating transatlantic data transfers as ongoing legal risk rather than settled is the prudent posture. The architectural answer is using EU-resident processing for sensitive data, with US providers used carefully with documented safeguards for less sensitive use cases.
## Practical implications for 2026 and beyond
1. **Build multi-cloud strategies** that don't depend on transatlantic transfers for critical workloads
2. **Use EU-headquartered providers** for sensitive data (customer data, employee data, regulated data)
3. **Document data classification** distinguishing what can vs cannot use US providers
4. **Maintain SCCs as fallback** even with DPF availability
5. **Watch for Schrems III** — if/when DPF is invalidated, have transition plans ready
The Privacy Shield era taught European businesses an expensive lesson about transatlantic transfer fragility. The DPF era is repeating that lesson with different specifics. The architectural answer is the same: where possible, avoid the transfer.
Was this helpful?
Thanks for your feedback!