The Privacy Shield Has Arrived

privacy shield, data protectionIt’s finally here! The EU – U.S. Privacy Shield (aka Safe Harbour 2.0) has been approved by the European Commission which means businesses in the EU will be able to transfer personal data to U.S. self-certified companies without the need for any further safeguards.

There’s been an air of uncertainty around personal data transfers between the EU and the U.S. since the European Court of Justice (ECJ) invalidated the Safe Harbour scheme in October 2015; so this is great news for businesses in the EU which use service providers based in the U.S.

Rather than discussing the background of the invalidity of the original Safe Harbour scheme  we’re going to focus this blog post on the practical reality of what this decision really means for your business.

Why is the Privacy Shield relevant and /or important?

Under the Data Protection Act 1998, a data controller can only transfer personal data to a country outside of the European Economic Area (EEA) that country “ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

Given EU data protection laws are among the most stringent in the world, this sets a pretty high threshold.

In the firm’s experience, the Safe Harbour scheme was the most popular method of ensuring this level of protection. Businesses in the U.S. were familiar with it and, once signed up, could deal with anyone in the EU without the need for consent or further contracts. The Privacy Shield has a similar framework and therefore the same benefits apply.

What European businesses need to do to benefit from this decision?

First, it’s important to understand that a U.S. company who is self-certified under the original Safe Harbour scheme is not automatically self-certified under the new Privacy Shield.

If you have used another method to ensure “adequate” protections are afforded to personal data which you have or will transfer to the U.S. (for example Model Contract Clauses), that is still valid and you won’t have to do anything.

If you haven’t, or you want to change to the Privacy Shield, you should contact your data processors in the U.S. and ask them whether they are ready and willing to apply for self-certification. Applications to the U.S. Department of Commerce opened on 1 August 2016.

This Department has issued a very helpful set of instructions on ‘How to Join Privacy Shield: Guide to Self-Certification’ if you are interested.

Other than that, you could say that the ball is really in the court of U.S. businesses. They are ones who have to develop compliant privacy policies, identify an independent recourse mechanic (i.e. dispute resolution program) and designate a contact for handling privacy questions, access requests, complaints etc. The list goes on.

Of course, UK businesses will still have to comply with all existing requirements under the Data Protection Act 1998; including having a written contract with the U.S. data processor which requires it to only act on the instructions from the EU data controller.

Furthermore, given that you (the data controller and data exporter) will still be responsible and liable to EU data subjects for compliance with the new framework, having warranties and indemnities around Privacy Shield membership and compliance are highly advisable.

What is our view?

We, along with many others, have questions about how the Privacy Shield will play out in practice. In particular:

  • Will UK and U.S. businesses who have recently set up new adequacy protections in the aftermath of the invalidation of Safe Harbour join the Privacy Shield? No-one likes to negotiate twice.
  • Will the Privacy Shield actually prove to be a workable and effective? Many, including the Article 29 Working Party – a body comprised of representatives from national data protection authorities, European Commission and the European Data Protection Supervisor – have their doubts. All eyes will therefore be on the results of the first joint annual review.
  • What will be the relevance of Privacy Shield post-Brexit? No-one knows the answer to this. For the meantime it applies, but Brexit will require a reworking, or at least a restructure, of the legal requirements surrounding data flows between the UK and the EU, as well as the UK and the US.


This post was written by Lucy Archer, Associate, Intellectual Property, JAG Shaw Baker and  Solicitor of the High Court of New Zealand

A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. more information

INFORMATION ABOUT OUR USE OF COOKIES Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience and also allows us to improve our website. By continuing to browse the website, you are agreeing to our use of cookies. A cookie is a small file of letters and numbers that we store on your browser or computer, phone or tablet hard drive if you agree. We use the following cookies: • Strictly necessary cookies. These are cookies that are required for the operation of our website. They include, for example, cookies that enable you to return to a previous page. • Analytical/performance cookies. They allow us to recognise and count the number of visitors and to see how visitors move around our website when they are using it. This helps us to improve the way our website works, for example, by ensuring that users are finding what they are looking for easily. The analytical/performance cookies are provided on our behalf by Google Inc. to aid with reporting of user behaviour, market research and improving website functionality. This user behaviour is analysed in order to improve this website. To see how this applies to Google Analytics, visit You can stop tracking by Google Analytics by visiting COOKIE DURATION The strictly necessary session cookies are a temporary cookie which remains in the cookie file of your browser until you close the browser. The other cookies will remain in the cookie file of your browser after the closing of the browser, and will become active again when you reopen this website. The different cookies have different expiration dates. Following expiry of a cookie, a new version of that cookie will be downloaded when you next visit this website, unless you have withdrawn your consent in the meantime. You can block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our website. Contact If you have any queries regarding this cookie policy please contact us at