Privacy Shield (Deprecated) / EU-US Data Privacy Framework

The EU-US Privacy Shield was a transatlantic data transfer mechanism invalidated by Schrems II in 2020. The EU-US Data Privacy Framework (DPF) replaced it in July 2023, with similar but strengthened protections.

History

The Safe Harbor framework (2000-2015) was the first generation EU-US data transfer mechanism. The CJEU invalidated it in Schrems I (October 2015) over U.S. surveillance concerns. Privacy Shield (2016-2020) was the replacement, invalidated in Schrems II (July 2020) on essentially the same grounds plus inadequate redress mechanisms. The EU-US Data Privacy Framework (DPF) replaced Privacy Shield in July 2023 after the U.S. issued Executive Order 14086 establishing redress mechanisms and limiting signals intelligence collection.

The current DPF

U.S. companies can self-certify to the DPF via the U.S. Department of Commerce, committing to a set of principles (notice, choice, accountability for onward transfer, security, data integrity, access, recourse). Once certified, EU exporters can transfer personal data to the company without additional SCCs. The DPF includes UK and Swiss extensions for those jurisdictions. The list of certified companies is public at dataprivacyframework.gov.

Will Schrems III happen?

Privacy advocates have already filed challenges to the DPF arguing the redress mechanism is insufficient. The CJEU has not yet ruled. Prudent buyers should not rely on the DPF as the sole transfer mechanism; SCCs plus a TIA remain the durable approach. For AI vendors, the practical posture is to maintain both DPF certification (where eligible) and SCCs in the DPA, so customers can choose their preferred basis. If DPF is invalidated, the SCCs remain operative.