First things first: The EU - US Data Privacy Framework (DPF), which came into force on July 10, 2023, means that the Data exchange and thus the use of tracking/analytics and marketing tools from the USA (e.g. Google Analytics, Webflow, YouTube, Cloudflare, etc.) between the EU and the USA is possible again under certain conditions.
You can find out what these are and what you need to look out for as an entrepreneur or website manager below. Before that, let's take a look at what the Privacy Shield actually is and why version 2.0 was necessary.
The end of Privacy Shield 1.0
What was the Privacy Shield 1.0?
Privacy Shield 1.0 came into force in 2016 and was a Data protection agreement between the European Union (EU) and the United States (USA)which regulated the international transfer of personal data between the two regions. It was designed to ensure that personal data of EU citizens transferred to the US was adequately protected.
This agreement was declared invalid in 2020 due to concerns about data protection and the US government's access to data and was replaced by Privacy Shield 2.0 in July 2023.
Why was the Privacy Shield 1.0 repealed?
In July 2020, the European Court of Justice (ECJ) ruled that the data protection rights of EU citizens were not sufficiently guaranteed, in particular due to the broad access rights of the US intelligence services on it.
Impact on companies and data protection officers
From then on, the use of services, programs and tools that transmit the personal data of EU citizens to servers in the USA when websites are accessed became inadmissible. It could only be used with extensive measures (e.g. only after a detailed explanation in the cookie banner and the consent of the visitor. However, this was never clearly legally secure; there was always a gray area because there was simply no 100% specification and solution.
Privacy Shield 2.0: The revival
What does the Privacy Shield 2.0 entail?
Privacy Shield 2.0 was developed to protect the To close gaps in the previous agreement and the Ensure data protection in international data transfers.
The USA guarantees that the data transferred from the EU to US companies will be processed at the EU's level of protection. However, this only applies to companies that participate in the agreement. To this end, companies must Self-certification process of the US Department of Commerce. This certification must every year new.
Differences between Privacy Shield 1.0 and 2.0
Privacy Shield 2.0 was developed with the clear aim of creating a Improved protection of privacy and data security to offer.
Here are some specific differences between Privacy Shield 1.0 and 2.0:
- Stricter monitoring and enforcement: Privacy Shield 2.0 introduces more effective monitoring and enforcement of data protection regulations. The US authorities undertake to ensure compliance with stricter rules and regulations.
- Clear limitation of access rights: Privacy Shield 2.0 imposes clearer limits on the US government's access to European data. This is intended to better protect the data protection of EU citizens.
- Stronger obligations for companies: Companies that wish to use Privacy Shield 2.0 must subject themselves to stronger obligations. For example, they must provide independent dispute resolution mechanisms and conduct annual compliance reviews.
- More transparency: Greater focus on transparency. Companies must communicate their data protection practices clearly and comprehensibly and provide information on data processing.
- Complaints mechanisms: Privacy Shield 2.0 strengthens the rights of EU citizens to lodge complaints about data protection violations. There are clear procedures for investigating and resolving such complaints.
- Annual reviews: Unlike the previous Privacy Shield agreement, which was reviewed every four years, Privacy Shield 2.0 is subject to annual reviews to ensure that data protection requirements are continuously met.
These differences make Privacy Shield 2.0 a more robust framework for international data transfer and should ensure that personal data is adequately protected.
What to consider now
Check DPF certification
On the website of the Data Privacy Framework Programs you can view the companies that have been certified for the Privacy Shield 2.0.
It is also important to check whether the corresponding type of data transmission is covered by the certification.
Update privacy policy & cookie banner
The DPF certification must be obtained from the respective provider stated in the privacy policy be. The good news is that DPF-certified companies no longer need the long information texts.
For the information in the The same applies to cookie bannersDPF certification must also be specified here. However, the usual long note on the use of US tools can be removed - provided that only DPF-certified tools are used.
A brief digression, as I notice incorrectly configured cookie banners every day: Cookie banners must provide clear information, be user-friendly and work. That means in detail:
- Transparency and information: Cookie banners must inform the user about the type of data collected, the purpose of the data processing and the options for exercising rights such as the right to object or withdraw consent.
- Ease of use: Cookie banners must be easy to understand and give the user the opportunity to give or withdraw their consent to data processing in a simple and uncomplicated manner.
- Technical correctness: Cookie banners must ensure that the user's decision is effective. If the user does not consent, no connection may be established!
Back to the topic: What else is there to consider?
Obtain consent in the cookie banner
The Data Privacy Framework superfluous obtaining the consent of visitors as soon as a non-essential cookie is set.
If only one Data exchange without cookiessuch as Google Maps, is Consent no longer necessary - provided that the information in the privacy policy and in the cookie banner is given as just explained.
Is that it now? Future prospects of the Privacy Shield 2.0
The introduction of Privacy Shield 2.0 has provoked mixed reactions. Two important aspects were acceptance and criticism.
Acceptance of Privacy Shield 2.0
Some companies and data protection experts welcome Privacy Shield 2.0 as a step in the right direction. They see the stricter monitoring and enforcement mechanisms as positive progress that improves data protection. They believe that Privacy Shield 2.0 provides companies with a clear and legal basis for international data transfers, which helps to strengthen trust and data security.
In addition, some European companies value Privacy Shield 2.0 as a Necessary instrumentto continue Business with US partners to do business. It is hoped that this agreement will ensure the smooth flow of data between the two continents, which is important for many industries.
Criticism of Privacy Shield 2.0
Despite the positive aspects, there are already considerable points of criticism of Privacy Shield 2.0:
- Insufficient protection: Data protection activists and some EU data protection authorities argue that Privacy Shield 2.0 is still not sufficient to protect the data protection rights of EU citizens. They believe that the US government's access to data is still too extensive and the monitoring is not sufficient.
- Uncertainties due to legal challenges: Some fear that Privacy Shield 2.0 could again face legal challenges, similar to its predecessor. This could lead to uncertainty for companies that need to transfer data to the USA.
- Lack of longevity: Privacy Shield agreements have had a limited lifespan in the past, which leads to uncertainties about the long-term nature of the regulations. This could influence companies' investment decisions.
Overall, the acceptance of Privacy Shield 2.0 remains a controversial topic and its effectiveness will only become apparent over time. Companies and data protection experts must closely monitor developments in this area.
Conclusion
The Privacy Shield 2.0 is a Important step in the right directionas there is at least clarity for the moment about what website operators need to consider. Nevertheless, it is uncertain whether the current version will be sufficient in the long term.
Important: The agreement does not change the fact that furthermore the consent of tools that transfer data to the USA and set non-essential cookies, must be obtained!
EN 
DE 
Hi Christian,
Thanks for the overview! As I work a lot with Webflow in website creation, data protection has always been a big issue. I hope that the Privacy Shield 2.0 is now also in place! It's actually a shame that companies like Webflow, Shopify & Co. show so little initiative and don't set up server structures in Europe. But well, then you just have to rely on such agreements.
Thanks for the contribution & best regards
Fabian
Hi Fabian,
I'm glad if I was able to help a little with this article.
I'll keep my fingers crossed that the Privacy Shield 2.0 holds. Relatively important for Webflow!
Best regards,
Christian
Hello Christian,
First of all, a big thank you for this detailed and very informative article on Privacy Shield 2.0! As an online marketing agency, we face the daily challenge of providing our clients with the best possible marketing tools while ensuring that their data is handled securely and compliantly.
It feels like a constant tug-of-war between data protection and effective online marketing, especially in a world where digitalization is advancing at a rapid pace. Your article has shed light on the often confusing topic of transatlantic data transfer.
I found the point about DPF certification and the need to regularly update the privacy policy & cookie banner particularly interesting. Details like this are very important for us to ensure that we are always on the safe side.
I must admit that I was initially skeptical about the introduction of Privacy Shield 2.0. Especially after the failure of Privacy Shield 1.0, but your analysis of the differences between the two versions and the future prospects gives me hope.
However, I share your concerns about the long-term nature and potential legal challenges. This is definitely an issue that we all need to continue to keep an eye on.
Thanks again for this great post! We will certainly come back and follow your blog to stay up to date.
Kind regards,
Šukri
P.S. We also experience this with the incorrectly configured cookie banners on a daily basis. A little humor in this serious matter! 😅
Hi Šukri,
Thank you for your great feedback! I'm of course delighted if my contributions are helpful.
As with almost all digital topics, it is important to "stay tuned".
I was just on your website and saw that you use opt-out for your cookie banner. According to the ECJ ruling in October 2019, this is not permitted; the only legally permissible option is opt-in. Visitors must activate the checkbox themselves. Just a nicely meant hint 🙂
If there is a topic you are particularly interested in that you would like me to write about, please let me know.
Best regards,
Christian