On February 2, 2016, the European Commission, the executive body of the European Union (“EU”), and the United States announced an agreement on a new alternative, called the “Privacy Shield,”[1] to replace the former “Safe Harbor” program, which was invalidated by the European Court of Justice (“ECJ”) in October 2015.[2]


Unlike the United States’ patchwork approach to privacy, the EU has a broad overarching law, called the Data Protection Directive 95/46/EC (“Directive”), which provides a minimum set of protections that each EU member state must offer for personal data. In order to facilitate business between the United States and EU, the United States and EU negotiated an agreement whereby U.S. companies wishing to process EU residents’ personal data could do so by qualifying for, and meeting, certain principles and guidelines. These principles and guidelines were set forth in what was known as the U.S.-EU Safe Harbor Framework (“Safe Harbor”), which required adherence to guidance materials and seven basic principles: notice, choice, onward transfer limitation, security, data integrity, access, and enforcement. Companies could self-certify that they were in compliance with the Safe Harbor and process (which, under the Directive, includes transferring) EU data.

On October 6, 2015, the ECJ issued a judgment declaring the Safe Harbor “invalid.”[3] Although the U.S. Department of Commerce stated that it would continue to administer the Safe Harbor program,[4] companies that relied on the program for transferring employee information between the United States and EU were at risk.

The New EU-U.S. Privacy Shield

While the language of the Privacy Shield has not been released, new reports and the press release of the European Commission indicate that the new EU-U.S. Privacy Shield provides stronger obligations on companies in the United States to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (“FTC”). The enforcement will include increased cooperation between the U.S. agencies and European Data Protection Authorities. Specifically, the new arrangement is reported to include the following elements:

  • Strong obligations on U.S. companies handling Europeans' personal data and robust enforcement: If a U.S. company imports personal data from Europe, it must commit to robust obligations on how the personal data is processed and guarantee certain individual rights. The Department of Commerce will monitor to ensure that companies publish their commitments. Once such commitments are published, the FTC has jurisdiction and authority to enforce compliance with those commitments. Critically, U.S. companies handling European employment data (e.g., human resource information) must commit to comply with decisions by European regulations with respect to that data.
  • Clear safeguards and transparency obligations on U.S. government access: The United States has assured the EU, in writing, that access by public authorities (for law enforcement and national security reasons) will be subject to clear limitations, safeguards, and oversight mechanisms. Such access must be limited to the extent necessary and must be proportionate to the need. Jointly, the European Commission, the U.S. Department of Commerce, national intelligence experts, and European Data Protection Authorities will annually review the Privacy Shield, including assessing national security needs and access.
  • Effective protection of EU citizens’ rights with several redress possibilities: European citizens believing that their personal data has been misused under the Privacy Shield will have several avenues for remedy. European regulators can refer complaints to the U.S. Department of Commerce and the FTC. Companies will have deadlines to reply to complaints. In addition, individuals will be able to take advantage of a free alternative dispute resolution process. Additionally, the United States will create a new Ombudsperson position (within the U.S. Department of State) who will be tasked with addressing complaints and inquiries from individuals related to possible access by national intelligence authorities.

Pursuant to the European Commission’s press release, the next steps include the Commission’s preparation of a draft “adequacy decision” in the coming weeks, which could then be adopted by the College of Commissioners after obtaining the advice of the Article 29 Working Party (comprised of European Data Protection regulators)[5] and member states’ representatives. Meanwhile, the United States is taking steps to implement a new framework, monitoring mechanisms, and a new Ombudsman.

Impact of Agreement

There are still several hurdles to cross. The Article 29 Working Party and representatives must provide input to the College of Commissioners. Likewise, the United States must make the necessary preparations to put in place the new framework, monitoring mechanisms, and the new Ombudsman. Absent future challenge, however, there will be an “adequacy decision,” enabling transatlantic data to flow between the EU and companies in the United States complying with the new Privacy Shield.

* * *

This Client Alert was authored by Adam S. Forman and Patricia M. Wagner. For additional information about the issues discussed in this Client Alert, please contact one of the authors or the Epstein Becker Green attorney who regularly handles your legal matters.


[1] European Commission, Press Release, “EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield” (Feb. 2, 2016), available at http://europa.eu/rapid/press-release_IP-16-216_en.htm.

[2]See Epstein Becker Green Client Alert, “European Court of Justice Invalidates U.S.-EU Safe Harbor” (Oct. 9, 2015), available at news/european-court-of-justice-invalidates-u-s-eu-safe-harbor/.

[3] Case C-362/14 Maximillian Schrems v Data Protection Commissioner[2015] ECLI:EU:C:2015:650, available at http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=

[4] See the Export.gov advisory available at http://www.export.gov/safeharbor/index.asp.

[5] The Article 29 Working Party has said, in a press conference, that before proffering a legal opinion regarding the Privacy Shield, it will wait to see the details of the new arrangement and will consider the commitments made by the United States. A formal statement will be published.

Jump to Page

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.