Articles | Data protection update - the new privacy shield

Cathrine Ripley discusses the key data protection issues for businesses involved in transferring personal data to organisations in the US.


1 London Street,

+44 (0)118 951 6200


Cathrine Ripley

Cathrine Ripley

A fundamental part of EU data protection law is a prohibition against personal data being transferred to places that do not offer sufficient privacy protections. The “safe harbour” agreement had for over 15 years helped ensure that EU to US data transfers did not fall foul of this basic rule - by allowing US companies to self-certify that the information sent to their data centres would be protected.

All that changed in October 2015 when, in a case brought by privacy activist Max Schrems against Facebook, the European Court of Justice found safe harbour to be invalid as it failed to adequately protect European citizens’ data - for example in the wake of the Edward Snowden disclosures there was concern that personal data of EU citizens held on servers located in the USA might be accessed by the US authorities.

The ensuing hiatus has created considerable uncertainty as to how to ensure EU to US data transfers do not breach EU law. The fall-back position has been to rely on the EU “model clauses” or to use binding corporate rules (BCR).

The first step in a new solution for EU/US data transfers has now been taken.  Last month the European Commission and the US reached a political agreement for transatlantic exchanges of personal data for commercial purposes: the new EU/US privacy shield. At this stage it is simply an agreement between the EU and the US and is yet to be adopted into law. It is presently being scrutinised by the Article 29 Working Party (WP29), which is a group of European data protection authorities including the UK’s Information Commissioner’s Office.

The outcome of this process is keenly awaited: How will US organisations react to the proposals?  Will they willingly allow EU privacy regulators to police compliance with the new rules?  Privacy activists (including Max Schrems) have already taken to the internet, indicating that they will challenge the new regime at the ECJ if the privacy shield does not represent a substantial improvement over safe harbour.

So what are the differences between safe harbour and the privacy shield?

  • It is intended that the privacy shield will impose stronger obligations on US companies to respect their data obligations and will impose sanctions if such obligations are not complied with. To give the agreement some much needed weight, the US Government has, for the first time, confirmed in writing that access of public authorities for security reasons will be subject to clear safeguards and limitations.
  • An ombudsman mechanism, independent of the US national security services, will be implemented to allow EU citizens to make enquires or complaints on whether the relevant data protection laws which apply to them have been complied with.
  • Companies will now have to resolve any complaints within 45 days and a free-of-charge alternative dispute resolution solution will also be available.
  • EU national data protection authorities will work more closely with their counterparts in the US to investigate unresolved complaints by EU citizens.

However, critics have pointed out that the privacy shield agreement will only be as effective as its implementation and it is likely that the implementation process will take some considerable time.  So it is still early days and much uncertainty still remains.

We will continue to monitor progress but in the meantime EU companies planning to transfer personal data to the US should seek advice as to the appropriate mechanisms for ensuring they do not breach current data protection law - not least because the WP29 has said that it will continue to assess other tools (such as the “model clauses” and BCR), suggesting that the even these may be themselves be subject to review.