Safe Harbor & Privacy Shield FAQ


On 6 October 2015, the Court of Justice of the European Union (“CJEU”) delivered its judgment in C-362/14 Maximilian Schrems v Data Protection Commissioner invalidating the U.S.-EU Safe Harbor decision. On 29 February 2015, the European Commission formally presented the draft for Safe Harbor’s successor: The EU-U.S. Privacy Shield.

These FAQs provide an overview of the implications of the Court’s decision. They also offer some guidance to companies about what to do in wake of the judgment and updates on the latest developments relating to Privacy Shield, the Safe Harbor successor.

Q: What was the U.S.-EU Safe Harbor framework?

A: Under the Data Protection Directive (Directive 95/46/EC) the transfer of personal data from the European Union (“EU”) outside of the European Economic Area (“EEA”) is prohibited unless the data protection rules of the third country to which the data are transferred have been declared “adequate” by the European Commission.

As the United States (“U.S.”) and the EU take different approaches towards data protection rules the European Commission – in consultation with the U.S. Department of Commerce – developed the Safe Harbor principles. In July 2000, the European Commission adopted the Safe Harbor decision (Decision 2000/520/EC) that declared that the Safe Harbor principles provided an adequate level of personal data protection. The decision allowed the transfer of personal data from the EU to U.S. companies that participated in the Safe Harbor self-certification scheme.

Q: Why was the Safe Harbor decision invalidated?

A: The CJEU found that the Safe Harbor framework enabled “interference (…) with the fundamental rights of the persons whose personal data is or could be transferred from [the EU to the U.S.]” because it only covered self-certified companies and not actions by U.S. authorities.

Additionally, the CJEU considered the European Commission’s Safe Harbor decision and found that the Commission had not –  as is required by the Data Protection Directive – establish that the U.S. provides an adequate level of protection of personal data “by virtue of its domestic law and international obligations”, i.e. a “level of protection of fundamental rights essentially equivalent to that guaranteed in the EU legal order.”

In this context the Court recalled that in the EU interference with the fundamental right to respect to private life is only permissible where it is strictly necessary and explicitly provided examples of legislation that is not in line with the EU legal order: Generalized retention of personal data; generalized surveillance of the content of communication; lack of judicial recourse for for individuals to access, rectify or erase personal data relating to them.

The CJEU further found that the Safe Harbor framework unlawfully limited the power of national data protection authorities to investigate claims by individuals concerning the adequacy of third countries.

Q: When has the CJEU’s judgment come into effect?

A: The CJEU’s judgment was effective immediately. As such the U.S.-EU Safe Harbor Framework has ceased to exist as of 6 October 2015.

Q: What is the impact of the CJEU’s judgment?

A: With the Safe Harbor decision invalidated, organizations that made use of the Safe Harbor framework can no longer use it to legally transfer personal data from the EU to the U.S. as of 6 October 2015. This means that there is no harmonized EU-level answer to the question of whether and how personal data can be transferred to the U.S. It is now up to each national data protection authority to make decisions on transfers of personal data from the EU to the U.S. in accordance with national law and the Data Protection Directive. Undoubtedly, the judgment creates significant legal uncertainty. That said there are alternative mechanisms with which to achieve the same goal (see below).

Q: How can my company continue to legally transfer data from the EU to the U.S.?

A: The Safe Harbor Principles were not the only mechanism allowing the transfer of personal data from the EU and U.S. Your company may still leverage any one or several of the following alternatives:

For more detailed information please consult the European Commission’s communication on transfers of personal data from the EU to U.S. following the Schrems judgment. Additionally, companies should consult the data protection authorities in their relevant markets as requirements for the lawful transfer of data to the U.S. may vary across countries.

Q: What is the impact of the Schrems judgment on alternative transfer mechanisms?

A: In principle, the Schrems judgment only invalidated the Safe Harbor decision has no bearing on the validity of alternative transfer mechanisms.

However, the Article 29 Working Party (“WP29”) has indicated reservations about alternative transfer mechanisms, such as BCRs, for transfers of personal data from the EU to the U.S. on the basis that some of the CJEU’s considerations concerned fundamental rights, which could also apply to alternative transfer mechanisms. While the WP29 was unambiguous about the unlawfulness of continued transfers based on the invalidated Safe Harbor decision, it announced that it considers transfers under BCRs and Standard Contractual Clauses valid for the moment.

The WP29 originally threatened potential enforcement against transfers based on alternative transfer mechanisms after the end of January 2016 unless U.S. and EU negotiators could solve outstanding issues. This grace period has been extended to allow the WP29 time to analyze the successor to Safe Harbor, which was announced on 2 February 2016 (see below).

In any case, companies should consult with the data protection authorities in their respective markets as different member states may take a different view to that of the WP29.

Q: Will there be a new Safe Harbor framework?

A: On 2 February 2016 the European Commission announced that EU and U.S. negotiators have reached a political agreement on the successor of the Safe Harbor framework: The EU-U.S. Privacy Shield. On 29 February 2016, the European Commission published a series of documents that make up the Privacy Shield framework, including its draft decision on the adequacy of the protection provided by the EU-U.S. Privacy Shield as well as a number of supporting documents.

Companies should bear in mind that Privacy Shield is in a draft stage and cannot serve as a legal basis for transferring personal data from the EU to the U.S. until formally approved.

Q: When will Privacy Shield enter into force? *UPDATED*

A: Before Privacy Shield can be relied upon by companies to transfer data from the EU to the U.S. the draft adequacy decision must be reviewed and approved by a committee of experts from the 28 EU member states in the so-called comitology procedure. There are no fixed deadlines for this procedure. Previous comitology procedures have taken more than a year. However, given the importance of Privacy Shield, it is conceivable that the process is expedited in this instance. The European Commission’s optimistic forecast is that the decision could be adopted as early as June 2016.

*UPDATE 13-04-2016*

The Article 29 Working Party, which consists of all 28 EU data protection authorities, has issued an opinion on the draft adequacy decision on 13 April 2016. In its statement the group says that it welcomes the significant improvements that Privacy Shield offers over Safe Harbor, but also that is not convinced that Privacy Shield’s improvements are enough, because key elements of EU data protection are missing or substituted by inadequate alternative notions.

While the Article 29 Working Party’s opinion is not binding, the European Commission and EU member states have an interest in considering it carefully as under the Schrems judgment national data protection authorities are given greater powers to take cases on adequacy decisions to court.

*UPDATE 26-05-2016*

On 26 May 2016 the European Parliament adopted a joint motion for a resolution on transatlantic data flows. While not binding, the resolution sends a strong message, citing that the Parliament feels that the current Privacy Shield would allow surveillance that does not comply with the EU’s Charter of Fundamental Rights.

Meanwhile, the Article 31 Committee (composed of experts from national Member States) has set 20 June as the date for a vote on the Privacy Shield. In its meetings in May, no vote was taken as they only received an update on the negotiations with the US counterparts. A final text was thus not available yet. The Article 31 Committee’s vote on the agreement is binding – a positive vote will mean the Commission can go ahead and adopt the adequacy decision, whereas a negative vote will stop the process.

*UPDATE 08-07-2016*

The Article 31 Committee has approved the Privacy Shield deal, after the Commission renegotiated the deal with its US counterparts. This was a binding vote and the final formal step for the approval of the deal, meaning that the European Commission will likely adopt the adequacy decision on Monday, 11 July.

Q: How will Privacy Shield be different from Safe Harbor? *UPDATED*

A: Privacy Shield provides a number of improvements over its predecessor, addressing concerns of the CJEU as outlined in the Schrems ruling and the European Commission’s 2013 communication on the functioning of Safe Harbor. Privacy Shield does not only cover commitments in the commercial sector, but also in the area of access to personal data by public authorities, including for national security purposes.

If confirmed, Privacy Shield would create a system of self-certification by which organizations commit to comply with a set of “Privacy Principles.” These principles would include more robust obligations on how personal data may be processed and individual rights guaranteed, as well as stricter liability provisions.

Privacy Shield would be administered by the U.S. Department of Commerce and enforced by the Federal Trade Commission and U.S. Department of Transportation. The U.S. Department of Commerce has committed to “regular and rigorous” monitoring of how companies’ compliance with Privacy Shield. Companies that fail to comply would face “severe sanctions” under U.S. law.

In addition, under the Privacy Shield package, the U.S. Department of Justice and the Office of the Director of National Intelligence has provided the EU with assurances that access by public authorities for law enforcement, national security and other public interest purposes would be subject to clear limitations, safeguards and oversight mechanisms. To this end the U.S. will create the office of an ombudsperson tasked with following-up on complaints and inquiries by EU individuals into national security access by U.S. authorities of commercial data transferred to the U.S. under any legal basis.

EU individuals would also be provided with further enhanced redress possibilities, including cost-free alternative dispute resolution. Companies also would need to commit to reply to complaints within a fixed deadline. European data protection authorities would have the possibilities to bring claims before U.S. authorities in order to facilitate investigations. In addition, as a last resort, individuals would have access to a dispute resolution mechanism that can take binding and enforceable decisions against U.S. Privacy Shield companies: The Privacy Shield Panel. EU data protection authorities would be able to provide assistance to individuals in preparing their arbitration case before the Privacy Shield Panel.

Lastly, Privacy Shield would be subject to an annual joint review carried out by the European Commission and U.S. Department of Commerce to regularly monitor the functioning of all aspects of Privacy Shield, including the limitations and safeguards relating to national security access. This review would include European data protection authorities and U.S. national security authorities. Should U.S. companies and public authorities be found not to comply with their commitments, the European Commission could suspend Privacy Shield.

*UPDATED 08-07-2016*

As part of the renegotiations, the U.S. has provided an additional letter of assurance about the bulk collection of data by it’s national security intelligence services. Issues of data retention and the office of the Ombudsperson were also further clarified. Judging by the positive vote of the Article 31 Committee, these changes have had the desired effect of gathering the approval of the Committee, which previously stated that the adequacy decision required more clarifications before they were ready to vote. However, neither the Article 29 Working Party, the EDPS, nor the European Parliament have commented on whether the renegotiated deal has alleviated their concerns.

Q: What will happen to Privacy Shield under the new General Data Protection Regulation?

A: The European Commission has stressed that Privacy Shield is drafted in such a way that it would be valid under Europe’s future General Data Protection Regulation, which is expected to take effect in the summer of 2018.

Q: How can I stay up to date on the latest developments?

A: IAB Europe will periodically update this page as new information becomes available and members are invited to contact our staff about additional information.


Thank you for your interest in our article. We’d love to get in touch with you to find out how you are using our research. If you don’t mind us sending you an email to ask you if the article was helpful, then please enter your email address and download the report.

We promise we won’t spam you!


Become a Member Lost your password?