Privacy Shield I/II
The Privacy Shield is a legal framework addressing transfers of personal data between the EU and the US.
The (original) Privacy Shield, the successor of the Safe Harbor, was an agreement between the United States and the European Union to ensure that companies processing personal data from EU citizens comply with the General Data Protection Regulation (GDPR). It was deemed necessary because it provided a framework for U.S. companies to transfer and process the personal data of EU individuals. To this end, it sought to establish a framework of principles that, if observed properly, would establish an adequate level of data protection.
The Schrems II judgment of the European Court of Justice (ECJ) declared the Privacy Shield invalid as, in essence, it did not work in practice and thus failed to properly protect personal data.
Currently, the EU and the US are in the process of agreeing on a Privacy Shield II and the EU Commission has stated that it will issue an Adequacy Decision based on that.
The ECJ however, in its Schrems I and II rulings, has invalidated two transfer mechanisms (Safe Harbor and Privacy Shield I) already. At the same time, the reasons for those decisions have not changed, in particular, the US Cloud Act is still in force. Therefore, we at Engity expect a Schrems III judgment, finding the Privacy Shield II lacking.