Search for:

After months of intense negotiations, the European Commission and the US Government announced today an agreement on the EU-US Privacy Shield (see This new arrangement replaces the US-EU Safe Harbor Privacy Arrangement (“Safe Harbor”), which was struck down by the Court of Justice of the European Union on October 6, 2015. The EU-US Privacy Shield builds upon the original Safe Harbor, and establishes a range of additional protections for European personal data, particularly on the issues of public authority access to data. The new arrangement is a critical achievement to help assure continuity of transatlantic data flows, which are vital to the digital economies in both Europe and the United States. The negotiators on both sides of the Atlantic should be praised for this achievement as it is a “win-win” for data protection and the transatlantic digital economy.

What are the requirements of the new EU-US Privacy Shield?

Although the details of the arrangement still require further study, key features appear to include:

1. Clear safeguards and transparency obligations on US government access

US authorities have, for the first time, given written assurances to their European counterparts that law enforcement and national security access to personal data will be subject to clear limitations, safeguards, and oversight mechanisms to assure proportionality and necessity. There will be an annual joint review of the arrangement, including the national security access issue.

2. Strong obligations on companies handling Europeans’ personal data and robust enforcement

Under the Privacy Shield, US recipients of personal data from the EU will be required to commit to robust obligations on how personal data is processed and individual rights are guaranteed. The US Department of Commerce will monitor that companies publish their commitments to the Privacy Shield, and will otherwise assure application of enforcement authority by the US Federal Trade Commission under US law.

3. Effective protection of EU citizens’ rights with several redress possibilities

Any EU citizen who considers that their personal data has been misused under the new arrangement will have several redress possibilities. European Data Protection Authorities can refer complaints to the US Department of Commerce and the Federal Trade Commission. There will be deadlines for responding to complaints, and alternative dispute resolution will be free of charge. In addition, a new Ombudsperson will be created within the US Department of State to handle complaints about national intelligence authority access to European personal data.

What are the next steps?

The European Commission will prepare a draft adequacy decision for the arrangement, which could then be adopted following consultation with the Article 31 committee of Member State representatives, and after obtaining the advice of the Article 29 Working Party of data protection authorities. On the US side, the US authorities will in the meantime proceed to take the necessary steps to formalize their commitments in writing. The European Commission has expressed its hope that these procedures can be completed within three (3) months, and it is expected that US companies participating in Safe Harbor will have some time to decide whether to join the new arrangement. In the meantime, companies should continue to pursue appropriate data transfer and data processing agreements and monitor updates from data protection authorities regarding transition periods and enforcement of existing laws.


Brian Hengesbaugh is chair of the Firm's Global Data Privacy and Security Business Unit, a Member of the Firm's Global IP Tech Steering Committee, and a Member of the Firm's Financial Institutions' Group. Brian is listed in The Legal 500 Hall of Fame and was recognized as a Regulatory & Compliance Trailblazer by the National Law Journal. He is also listed as a Leading Lawyer for Cyber law (including data protection and privacy) in The Legal 500 and is listed in Chambers. Formerly Special Counsel to the General Counsel of the US Department of Commerce, Brian played a key role in the development and implementation of the US Government’s domestic and international policy in the area of privacy and electronic commerce. In particular, he served on the core team that negotiated the US-EU Safe Harbor Privacy Arrangement (Safe Harbor), and earned a Medal Award from the US Department of Commerce for this service. In addition, Brian participated on behalf of the United States in the development of a draft Council of Europe Treaty on Cyber Crime, and in the negotiation of a draft Hague Convention on Jurisdiction and the Recognition of Foreign Judgments. Brian has been quoted in the Wall Street Journal, New York Times, Forbes, CNET, Slate Magazine, Compliance Weekly, BNA Bloomberg, PCWorld and other news publications on global privacy and security issues.


Prof. Dr. Michael Schmidl is an honorary professor at the University of Augsburg and specialist lawyer for information technology law (Fachanwalt für IT-Recht). He is a partner at Baker McKenzie´s Munich office and advises in all areas of contentious and non-contentious information technology law, including internet, computer/software, data privacy and media law. Mr. Schmidl also has a general commercial law background and has profound experience in the drafting and negotiation of outsourcing contracts and in carrying out compliance projects.

Write A Comment