From Safe Harbor to Privacy Shield: Making order from chaos on data protection

roads-maze-confusion-questionI want you to picture a long, complicated ant trail. They are marching along, in line, minding their everyday business. Now I want you to picture someone putting up a barrier in the middle of that trail. You know what, let’s picture a few barriers… what happens to the trail? Chaos, disorganization, stress, etc. (Do ants even feel stress?)

You may be asking why I am talking about ants. Well, it turns out ants walk in a straight line because they are all following one another. When something happens to that chain of command, all hell breaks loose. Which is exactly what happened on October 5, 2015, when the European Court of Justice declared the US-EU Safe Harbor Framework invalid in the landmark case Schrems v. Data Protection Commissioner. Since then, US and EU officials have been scrambling to implement a new mechanism for transatlantic data transfers.

What was Safe Harbor?

The Safe Harbor arrangement was established in 2000 to facilitate data flows specifically between the United States and European Union Member States. The arrangement came as a result of the EU’s Data Protection Directive, which allowed transfers of personal data of a citizen within the EU to an outside country only if that country ensured an adequate level of data protection. Under the arrangement, participating US companies could send and receive European personal data if they self-assessed and self-certified that their data transfer measures were “secure.”

What happened in Schrems v. Data Protection Commissioner?

Fast-forward to Edward Snowden’s big reveal. In light revelations made concerning the activities of US intelligence services, Austrian citizen Max Schrems lodged a complaint with the Irish data protection authority claiming that the US offered no real protection against national security surveillance of data transferred to the US. The particular data in question was information that Schrems provided to Facebook. Facebook transfers data from its Irish subsidiary to servers located in the US. Schrems argued that while measures were in place to protect data when dealing with US companies, there were no protections from the US government.

The result? The European Court of Justice – stressing the fundamental right to protection of personal data – invalidated the Safe Harbor framework for failing to protect the privacy of European citizens. (Think of those ants scattering, here.)

Post-Schrems Effects: A New Privacy Shield

To replace the now-defunct Safe Harbor agreement, last week the European Commission published the first details of its transatlantic Privacy Shield. The Privacy Shield is meant to strengthen obligations on US companies to protect European personal data, and improve regulations regarding data monitoring by US government agencies. The new arrangement will include the following elements:

  • Greater obligations on companies to publish their commitment to protecting Europeans’ personal data with robust monitoring by the Department of Commerce and enforcement by the Federal Trade Commission.
  • Companies will have to promise not to collect more personal information than needed for their services.
  • Clearer safeguards and transparency obligations on US government access by disallowing indiscriminate mass surveillance on personal data and implementing an annual joint review to regularly monitor the functioning of the arrangement.
  • Providing EU citizens with avenues for redress if their data protection rights become compromised. US companies may be directly liable for violations, and European Data Protection Authorities can refer complaints to the Department of Commerce and the Federal Trade Commission. For complaints regarding possible access by national intelligence authorities, an Ombudsperson will be created to address the concerns.

Most importantly, according to the commission, “for the first time, the US government has given the EU written assurance from the Office of the Director of National Intelligence that any access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms.” That said, it does appear that the NSA will still have plenty of access to data, which is unlikely to be well received and may lead to another challenge.

Next Steps for the Privacy Shield

Last week, the Article 29 Working Party, a group of EU Member State data protection representatives, released a draft agreement for review. After the Working Party offers their comments, approval will be required, which is not guaranteed. This complex process will take some time and is vulnerable to disruption each step of the way. But, the EU and the US hope to formally adopt a working agreement by August.

Further Action by the US to Support the Privacy Shield

While the both parties wait for approval of the new Privacy Shield, the US began implementation of a new framework for monitoring government surveillance actions and created a new Ombudsperson. On February 24, 2016, President Obama signed the Judicial Redress Act into law. The Act is important to assist final approval of the Privacy Shield, and provides EU Member States with limited rights to review, copy, and request amendments to records kept by federal agencies. We currently have the same rights under the Privacy Act of 1974. Under the Judicial Redress Act, the US Department of Justice will also designate countries whose citizens will have access to US federal courts for bringing specified claims against US government agencies for violating data protection rights.

Time to Get Back in Line

With the release of the draft Privacy Shield, many are skeptical that it will ensure proper privacy protection and some believe that it may be challenged after implementation; but for now, there is a strong probability that the Privacy Shield will be the next data transfer mechanism.


Warning & Disclaimer: The pages, articles and comments on do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of Read more.

Join the Discussion

No comments yet.