The Ultimate Guide to the Privacy Shield in the EU and USA

Nov 24, 2023

Data privacy is a big deal, even more so when personal information is transferred from Europe to the U.S.

privacy shield - cover photo

The EU-U.S. Privacy Shield was a rule book that made sure American companies treated European data with care. But in 2020, this rule book stopped being used and it caused quite a stir.

Let’s look at what the Privacy Shield was about, why it’s not around anymore, and how it’s changed the way companies, especially email marketers, handle data.

What is the privacy shield?

The EU-U.S. privacy shield is a set of rules for moving personal data from Europe to the U.S. It’s used to transfer personal data for commercial purposes safely.

eu us privacy shield


The seven principles of the privacy shield framework

The principles are part of the privacy shield framework, and there are seven of them.

The seven principles of the privacy shield framework



Organizations must inform people that they collect data and participate in Privacy Shield, and explain how the data is used.


People must be given the option to opt out of data collection or sharing and must opt-in for sensitive information.

PRINCIPLE 3: Accountability for onward transfer

Transfers of data to third parties need to be protected with the same level of protection provided.

PRINCIPLE 4: Security

Data must be protected from loss, misuse, or unauthorized access.

PRINCIPLE 5: Data integrity and purpose limitation

Data can only be used in ways that match what people were told when they gave their information.


Individuals have a right to access and modify their personal data.

PRINCIPLE 7: Recourse, enforcement, and liability

There must be ways for people to complain and have their complaints investigated, and organizations must prove they follow these principles

The seven principles of the privacy shield were created to align the U.S. policy to match the strict data protection standards of the European Union. The data privacy framework provided data safety and protected individuals’ privacy across borders.

Rooted in the privacy shield principles, these rules worked as a mutual agreement. Companies could do business transatlantically in a trusted framework without compromising privacy.

data protection commissioner


Why the privacy shield is no longer in force?

On July 16, 2020, the European Court declared that Privacy Shield was no longer valid.

For transfers of personal data from the EEA to the United States, the data privacy framework no longer provides adequate safeguards. 

The problem was that the U.S. didn’t get an ‘adequacy decision’ from Europe, saying it kept data as safe as Europe does. 

Europe has strict privacy policies, and they considered the U.S. unprepared, with U.S. companies and government having more room to use personal data in ways Europe wouldn’t agree with.


Executive Order Signed For New EU & US Privacy Shield framework


What steps did companies take after the invalidation of the Privacy Shield?

👉 They needed to take a good look at what data they were sending from the European Union to the U.S. and figure out how they’d be affected if they couldn’t send it anymore.

👉 Companies have got to find a new way to move pieces of data that still comply with GDPR. Think about using things like standard contractual clauses, a promise for data safety that the European Commission supports.

👉 They needed to check standard clauses to make sure they were solid.

👉 For internal data transfers, they should have considered adopting binding corporate rules, pending approval from the data protection commissioner.

👉 While EU law offers various other transfer methods, they should have approached these with caution due to their complex nature.

👉 They could have simplified the process by transferring aggregated data, which generally requires fewer privacy safeguards.

👉 Companies should have brought together a cross-functional team to develop a resilient privacy strategy that can adapt to ongoing changes in data protection legislation.

What did the privacy shield mean for email marketing?

The fact that privacy shield is deemed made that email marketers be even more careful with where and how they process data.

European services like Bouncer stepped in, offering email verification within the EU to stay in line with GDPR, so data was not sent to the United States in violation of GDPR.

Bouncer website

It’s a local guardian for your data — no need to stress over your emails taking an unwanted trip to U.S. servers. Bouncer keeps it simple and secure: it sticks to its EU roots, keeping your data safe from U.S. surveillance.

On top of that, it’s upfront about where its data centers sit, giving you that extra layer of security.

Bouncer CTA

Let Bouncer help you with Privacy Shield and GDPR

Navigating data privacy is not just about understanding the rules but also about having the right tools at your disposal.

Enter Bouncer: your go-to ally in ensuring your email marketing efforts remain GDPR-compliant without crossing any digital borders.

It’s a simple, secure solution to keep your data privacy in check. So why not give Bouncer a try? Make Bouncer a part of your data strategy toolkit.


Line and dots