EU and U.S. Reach Agreement on Safe Harbor Replacement: 'EU-U.S. Privacy Shield'
Client Alert | 3 min read | 02.02.16
The European Commission (EC) and U.S. Department of Commerce (DOC) have been negotiating a new Safe Harbor framework (Safe Harbor) governing the transfer of data from the European Union (EU) to the U.S. for over two years. After invalidation of Safe Harbor in October 2015 by the European Court of Justice (ECJ), EU Member State data protection authorities (DPAs) agreed to hold off on enforcement against companies utilizing Safe Harbor until January 31, 2016, thus imposing a de facto deadline on the framework negotiators to agree on a replacement by that time.
Today, the negotiators reached a deal on the successor framework, named the "EU-U.S. Privacy Shield" (Privacy Shield), to replace the invalidated U.S.-EU Safe Harbor framework.
Highlights of the Privacy Shield
Although the details of the arrangement have yet to be released, the EC announced some high-level points regarding the revamped program:
- It will include annual joint review of the program, by EC, DOC, DPAs and the U.S. national security agencies to evaluate whether changes are necessary.
- The EC is satisfied with the transparency and safeguards related to U.S. national security data collection that have now been put in place, including U.S. legislation curbing national security data collection, executive orders, the proposed Judicial Redress Act, and written assurances from the U.S. Director of National Intelligence.
- There will be an ombudsman in the U.S. Department of State who will follow up on referrals from national DPAs regarding EU citizen complaints about national security data use.
- There will be an added stop-gap dispute resolution mechanism in the form of binding arbitration for company data use cases that are not resolved after using other channels (namely direct complaint to company, independent recourse mechanisms, and DPA referral to U.S. authorities).
- There will be new requirements for onward transfers, that will likely require adapting existing contracts with sub-processors.
- EU Commissioner Věra Jourová estimates that it will take approximately three months to have the Privacy Shield in place and ready for use after finalization and ratification in the EU and the U.S.
The Article 29 Working Party (WP29), consisting of the DPAs of all 28 Member States, is scheduled to meet in Brussels on February 3. Commissioner Jourova will discuss the Privacy Shield at that meeting, and seek the further advice of the WP29 on the new framework. We will provide further information after the meeting.
In addition, if the WP29 provides no new "grace period" for companies using the old Safe Harbor framework to legitimize data transfers, U.S. companies will have to rely on other mechanisms until the Privacy Shield becomes effective and companies certify to the terms of the new program. Until that time, the options include:
- EU-approved model contract clauses.
- Binding Corporate Rules (for intra-company transfers only).
Certain other specific derogations that are narrowly interpreted may also apply, including:
- Informed consent of the data subject (though this may not be possible for human resources or other data relating to employees).
- Performance of a contract (e.g., limited to circumstances such as booking a hotel in the U.S. where personal information must be provided to the U.S. entity to fulfill the contract).
- Important public interest grounds (e.g., cooperation between authorities regarding fraud or cartel investigations).
- The vital interest of the data subject (e.g., urgent life or death situations).
Insights
Client Alert | 4 min read | 07.25.25
On July 24, the European Commission announced the imposition of new EU countermeasures in response to U.S. tariffs further to an agreement reached among EU Member States. These measures are adopted through Commission Implementing Regulation (EU) 2025/1564 and take the form of additional customs duties on U.S. products as well as export restrictions for certain EU products. In total, these measures concern about EUR 93 billion ($109 billion) worth of customs duties, the highest volume of bilateral trade caught by the EU so far. The EU countermeasures are set to enter into force as of August 7.
Client Alert | 5 min read | 07.25.25
Client Alert | 16 min read | 07.25.25
Client Alert | 1 min read | 07.24.25
Commission In Limbo: SCOTUS Puts CPSC Commissioners Back Out of Action