EU-US Privacy Shield for transatlantic data transfers finalised

Transfers of personal data from most European countries to the US have been exposed to legal attack since October 2015, when privacy campaigner Max Schrems successfully sued the Irish authorities over data transfers made by Facebook Ireland.

That David-and-Goliath litigation saw the end of the “Safe Harbor” decision protecting transatlantic data flows when the European courts declared it invalid. While other legal methods of data transfer are available, the Safe Harbor was widely relied on especially by technology businesses.

A new Privacy Shield

Since then, the EU and US authorities have been working on a replacement – the EU-US “Privacy Shield” After a first attempt was rejected by national and EU regulators, a tightened-up version has now passed the test. The Commission's press release and FAQs document provide a helpful summary.

The revised version, consisting of:

  • an adequacy decision describing the system of self-certification through which US organisations commit themselves to a set of privacy principles; and
  • a set of seven Annexes dealing with the arrangements that the US authorities will implement to safeguard EY citizens' data.

US companies will be able to certify themselves with the US Department of Commerce from 1 August. There will be an annual joint review process to check that the system is working.

While the certainty offered by agreement of the Privacy Shield  has been widely welcomed, this may not be the end of the story. Max Schrems, the activist responsible for the demise of its predecessor,  has told journalists that the deal is full of holes and likely to fail a legal challenge – although he does not want to be the one to bring it.

What does this mean for the UK?

UK privacy regulator, the ICO, has indicated that it will press for UK laws to track those of the EU.

It may be that the UK will adopt most of the changes due to take effect in 2018 under the  GDPR, but leave out some of the more onerous obligations that could impede the activity of SMEs for example. If the UK ends up with a relatively distant relationship with the EU compared to an EEA member like Norway, privacy laws could diverge. In that case, the UK will have to demonstrate adequacy of protection for European citizens' privacy, like the US has done, if it is to do business freely across Europe.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Posted by


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.