Safe Harbour Replacement?

On Tuesday 2 February 2016, the EU Commission and US Department of Commerce announced that they had reached “political agreement” on a new privacy framework for transfers of personal data between Europe and the United States.

The new framework – the “EU–US Privacy Shield” – will replace Safe Harbour, which was nullified by the Court of Justice of the European Union (CJEU) last year due to allegations of mass surveillance. One of the components of the new Privacy Shield will provide limitations and safeguards on US mass surveillance. There are some commentators, however, who worry that exceptions for national security will trump European citizens’ privacy rights.

The details of the EU-US Privacy Shield are not yet publicly available, and the European Data Protection Authorities (DPAs) will need to give their approval. The permissibility of transatlantic data transfers will therefore remain uncertain for a bit longer. Still, this week’s announcement is an important development in the future of EU– US data transfers.

The US Department of Commerce has released a factsheet stating that the Privacy Shield will “significantly improve commercial oversight and enhance privacy protections”. This can be viewed at but do not rely on this until the Privacy Shield has been officially approved.