Data Protection: the Safe Harbor 2.0

On 2 February 2016, the European Commission and the United States reached an agreement on a new framework for transatlantic data flows. This EU-US Privacy shield will replace the Safe Harbor framework invalidated last October by the famous SCHREMS ruling.


In order to facilitate data transfers between the United States and the European Union while ensuring a high level of protection of personal data, the Commission adopted Decision 2000/520/EC of 20 July 2000 which considered that the United States’ principles set out in Safe Harbor ensured an adequate level of protection of personal data as required by European Directive 95/46/EU.

However, in October 2015 the Commission’s Safe Harbor decision was declared invalid by the European Court of Justice. Following this ruling the European Commission has intensified negotiations with the United States in order to put in place a renewed and safe framework for transfers of personal data.

A new framework for transatlantic data flows

According to recent press releases, the EU-US Privacy Shield will include the following elements:
• Clear safeguards and transparency obligations on U.S. government access;
• Strong obligations on companies handling Europeans’ personal data and robust enforcement;
• Effective protection of European citizens’ rights with several redress options.

Next steps

The political agreement has been approved by the College of Commissioners which mandated Vice-President Anisp and Commissioner for Justice Jourova to prepare a draft “adequacy decision” in the coming weeks.

During its meeting on 3 February, the Article 29 working party called on the Commission to communicate all documents relating to the new framework by the end of February.

If it is adopted, this new decision would again allow companies to base their transfers of data to the United States on this additional legal basis.