Worldwide: The EU-US Privacy Shield: The New Data Protection Deal

The (Un)Safe Harbor and Schrems

As explained in detail in our article from October 2015, the Court of Justice of the European Union declared in its judgment in the case of Schrems v Facebook that the EU-US Safe Harbor agreement (Safe Harbor) was invalid. This meant that data transfers between European Union Member States and the United States which were taking place under Safe Harbor, were no longer lawful.

The decision was primarily based on the ability of the US authorities to access personal data transferred from the Member States to the United States and process it in a way incompatible with the purposes for which it was transferred and beyond what was strictly necessary and proportionate for the protection of national security.

Notwithstanding this decision, the European Commission made it clear that there were alternative ways in which lawful transfers could be made – including the use of Binding Corporate Rules (BCRs), Standard Contractual Clauses (SCCs) or by consent. However, Safe Harbor could no longer be relied upon.

Since then, steps have been taken to agree a replacement for the Safe Harbor scheme.

The Article 29 Working Party's deadline of 31 January 2016

The EU's Article 29 Working Party (the Working Party), comprising the national data protection authorities of EU Member States, the European Data Protection Supervisor and the European Commission, set a deadline of 31 January 2016 for a new agreement to be reached to replace Safe Harbor, which had been in operation since 2000.

The Working Party stated that any new deal needed to address the issue of "massive and indiscriminate surveillance" that was taking place in the US. The deal should therefore include obligations in relation to the necessary oversight of access by public authorities, transparency, proportionality, redress mechanisms and clarify the data protection rights of individuals.

The new deal: the EU-US Privacy Shield

Although the original deadline of 31 January 2016 was not met, a new political deal in the form of the EU-US Privacy Shield (the Privacy Shield) was announced by the European Commission on 2 February 2016. Details of the new scheme have yet to be announced and there remains a high degree of uncertainty about its terms.

The Privacy Shield includes the following key elements:

  1. Stronger obligations on US companies to protect the personal data of EU citizens, including how personal data are processed and the individual rights of EU citizens being guaranteed. The US Department of Commerce will monitor US companies to ensure that they publish and adhere to these obligations. Any US company processing European human resources data must also comply with the decisions of European data protection agencies.
  2. Written assurances that US public authorities' access to data for law enforcement and national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. These public authorities will only have exceptional, necessary and proportionate access to personal data, which will therefore not be subject to indiscriminate mass surveillance. The European Commission and US Department of Commerce will conduct an annual joint review of this arrangement to monitor its implementation.
  3. Effective protection of EU citizens' rights. This is achieved in several ways. US companies will have deadlines by which they must reply to complaints. European data protection authorities may refer complaints to the US Department of Commerce and the Federal Trade Commission to ensure that complaints are investigated and resolved. Free alternative dispute resolution will also be available. The US authorities are also in the process of creating an Ombudsman within the US State Department to whom EU citizens will be able to raise enquiries or complaints in relation to access to their data by US national intelligence authorities (on reference from a EU data protection authority).

It should also be noted that the US Judicial Redress Act was passed by the Senate Judiciary Committee on 28 January 2016. In the event that it comes into force, which is now likely as it nears the end of the legislative process, it would give EU citizens the right to start proceedings against specific government agencies in order to obtain redress for unlawful use of their data. The draft legislation preserves the right of companies to transfer personal data to the US for commercial purposes and requires EU member states to have personal data transfer policies that do not materially impede the national security interests of the US.

Further, President Obama signed an executive order on 9 February 2016 establishing a Federal Privacy Council, designed to serve as an interagency support structure to improve the privacy practices of government agencies through sharing best practice and structured training.

The Response and Next Steps

The Working Party issued a press release on 3 February 2016 in which it welcomed the Privacy Shield, albeit reserving judgment on whether or not it deals with all of the issues raised in Schrems in relation to the international transfers of personal data. It referred to four essential guarantees for intelligence gathering in the context of European principles which it wished to see reflected in the Privacy Shield:

  1. Processing should be based on clear, precise and accessible rules;
  2. There must be necessity and proportionality;
  3. There needs to be an effective and impartial independent oversight mechanism; and
  4. Effective remedies must be available to the individual.​

The Working Party remains concerned about the scope of processing and remedies available, meaning that there could be further negotiations in order to address these issues.

It is difficult to conceive of any government (let alone the US) giving a guarantee of independent oversight of its intelligence gathering activities. It remains to be seen as to whether any European nation state would be prepared to subject its own intelligence gathering to such oversight.

These negotiations have highlighted the inevitable tension between two competing (and both to some extent justified) concerns – those of privacy campaigners on the one hand and those of law enforcement authorities on the other. Striking a balance between the two would appear to be some way off.

The College of Commissioners is now preparing a draft adequacy decision in relation to the Privacy Shield (i.e. a decision that will state whether or not there will be adequate protection of the personal data of EU citizens that are transferred to the US under the new arrangement). This draft decision is expected to be produced within the next few weeks.

The Working Party has also requested that documentation relating to the Privacy Shield (in essence, the detailed terms which have yet to be made public) is produced to it by the end of February 2016, in order that they may analyse it at an extraordinary plenary meeting in March 2016. There remains significant uncertainty as to not only the precise terms being discussed, but also the extent to which the Working Party's concerns and guarantees have been addressed.

Notwithstanding the above, it has been suggested that the Privacy Shield could be implemented within the next three months, although objectively that seems optimistic.

Practical implications

The Working Party made it clear in their press release that transfers being effected under Safe Harbor are not valid and complaints arising from such transfers will be considered and determined in the usual way. However, Isabelle Falque-Pierrotin, Chair of the Working Party, has confirmed (9 February 2016) that the "moratorium" on enforcement would continue until April, in order to allow them time to scrutinise the Privacy Shield. Businesses effecting transfers under the auspices of Safe Harbor can expect enforcement action thereafter. However, the use of BCRS and SCCs remains legitimate, at least for now.

Businesses should therefore review their data flows and check (to the extent they have not done so already) that such are covered by one of the "approved" mechanisms, such as BCRs and SCCs.

The muted reaction of the Working Party and commentators would appear to suggest that there is considerable doubt as to whether the Privacy Shield will satisfy the concerns of the ECJ in Schrems – a state of uncertainty which is likely to last for a considerable time. It is also highly likely that any solution (including the Privacy Shield) is likely to be a short term one – the new General Data Protection Regulation is likely to have a significant impact, notwithstanding the assurances that the negotiators had one eye on the Regulation during their discussions.

We await the position that will be taken by the Channel Islands and other offshore Data Protection authorities in relation to local enforcement. In any event, it would be prudent to review what arrangements and contractual agreements are in place in relation to the international transfers of data (particularly to the US) and to obtain professional advice in order to safeguard the legitimacy of such transfers.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions