Compliance

Privacy Shield

A former EU–US data transfer framework invalidated by the Court of Justice of the EU in 2020 — replaced by the Data Privacy Framework.

The EU–US Privacy Shield was a framework for regulating cross-border transfers of personal data from the EU to the United States.

Invalidation

On July 16, 2020, the Court of Justice of the European Union (CJEU) invalidated the Privacy Shield in the Schrems II ruling (Case C-311/18), finding that US surveillance laws did not provide adequate protection for EU citizens' data.

Replacement

The EU–US Data Privacy Framework (DPF) was adopted in July 2023 as a successor to the Privacy Shield. It includes new safeguards addressing the concerns raised in the Schrems II judgment.

Companies relying on the DPF must self-certify with the US Department of Commerce and commit to a set of privacy principles.

GDPR Article 45 (adequacy decisions).

Related Terms

GDPRLegal

The General Data Protection Regulation — the EU's comprehensive data protection law, effective since May 2018.

Standard Contractual ClausesLegal

Pre-approved contract terms for transferring personal data from the EU to countries without an adequacy decision.

Adequacy DecisionLegal

A determination by the European Commission that a non-EU country provides an adequate level of data protection.

Cross-Border TransferCompliance

The transfer of personal data from one country to another — subject to special rules under the GDPR.

Privacy PolicyPrivacy by Design