Article - Implementation of the new EU-US Privacy Shield (March 2016)

Related Galexia news

Related Galexia services and solutions

The proposed EU-US Privacy Shield is set to replace the former Safe Harbor as the key mechanism for the transfer of personal data from the European Union to the United States. The draft Privacy Shield adequacy decision by the European Commission is yet to be formalised - the commission must first seek the opinion of the influential Article 29 Working party. However, it is almost certain that the Privacy Shield will be implemented in some form in the near future.

The former Safe Harbor framework was the subject of extensive research and analysis by Galexia, including a major report in 2008[1] followed by ongoing monitoring and the submission of evidence and reports to the EU and US authorities.

How does the proposed Privacy Shield compare to the Safe Harbor?

The starting point for the Privacy Shield is that it has been designed in response to a specific legal decision by the European Court of Justice (Maximilllian Schrems v. Data Protection Commissioner, Court of Justice of the European Union, C-362/14 (2015)). That decision found that the original Safe Harbor adequacy decision (from 2000) was adopted without sufficient limits to the access of personal data and interference by governmental authorities. The court also criticised the absence of a right to any form of dispute resolution or legal redress for European citizens affected by US surveillance.

Although both the Safe Harbor and the Privacy Shield are the result of compromise and negotiation between two very different privacy regimes, the impact of the Schrems case means that the parties have been forced to strengthen the protections and limitations available in the Privacy Shield.

The two big-ticket changes are:

  • 1) the introduction of a right to legal redress for European citizens who wish to challenge the disclosure of their personal data to government authorities in the US (through the Judicial Redress Act), and
  • 2) a suite of limitations, oversight and governance on US national surveillance agencies and their activities.

This combination of specific limitations on surveillance, backed up by a judicial redress procedure, is a significant departure from the vague wording used in the original Safe Harbor agreement.

There are also a number of other crucial changes to the Privacy Shield that have a broader impact outside the surveillance / intelligence space.

There are dozens of changes contained in the complex legal documentation that forms the Privacy Shield. Some of the key highlights are:

  • The removal of consumer charges (and the threat of charges) for dispute resolution. This removes a significant deterrent to consumer action that affected the Safe Harbor;
  • A commitment that all consumer complaints will be answered and resolved. This may turn out to be the most significant difference in practice between the Safe Harbor and the Privacy Shield;
  • Shifting key implementation requirements from voluntary guidelines (which were unenforceable in the Safe Harbor) to mandatory rules;
  • A commitment to monitor and enforce ‘compliance verification reports’ for the first time. These reports formed part of the Safe Harbor but they were never enforced; and
  • A commitment to monitor and enforce false claims of Privacy Shield membership.

The replacement of the Safe Harbor agreement with the EU-US Privacy Shield is still subject to some uncertainty. For example, the new limitations and conditions on surveillance may be the subject of further legal challenges in Europe. But the Privacy Shield now contains a process for continual review and improvement through: formal annual performance reviews; regular reviews of the adequacy decision; and a more comprehensive complaints and dispute resolution process. It will be important to learn from the experience of the Safe Harbor and to use these new processes to drive ongoing reform and improvement.

A final decision on the approval of the Privacy Shield is expected to be announced before the end of June 2016.

The draft Adequacy Decision on the EU-US Privacy Shield by the European Commission is available at:

Chris Connolly
Galexia, March 2016.

[ Galexia Dots ]

[1] The US Safe Harbor - Fact or Fiction?, December 2008, <>.