EU and US reach new data transfer agreement

03 February 2016 |


The European Commission and the US have agreed a new framework on transatlantic data flows, replacing previous “safe harbour” rules.

The EU-US Privacy Shield was approved by the College of Commissioners yesterday and is waiting approval by EU members.

The new framework is designed to protect the fundamental rights of Europeans when their data is transferred to the US and ensure legal certainty for businesses. It marks the first major commitment from the US not to indulge in mass surveillance of EU citizens.

There will be an annual joint review of the agreement.

"We have agreed on a new strong framework on data flows with the US. Our people can be sure that their personal data is fully protected. Our businesses, especially the smallest ones, have the legal certainty they need to develop their activities across the Atlantic. We have a duty to check and we will closely monitor the new arrangement to make sure it keeps delivering,” said Andrus Ansip, VP, digital single market, EC. 

The move brings much needed clarity for organisations conducting transatlantic business, since an EU court ruling last October made the previous “safe harbour” rule invalid.

However, Patrick Van Eecke, a partner at DLA Piper, does not believe the agreement will bring businesses the legal comfort they were looking for.

“As the new agreement will be reviewed on an annual basis, and as local data protection authorities will still have the possibility to prohibit data transfers to the US, it does not bring much needed legal clarification companies are looking for,” he said.

“It will even make them think twice before stepping into the safe harbour programme and using this as the long term solid legal basis for EU-US data transfers. Instead, they will probably have to go back to asking for individual consent from each citizen they are collecting data from - an onerous and costly process.”

The agreement does represent a shift in power regarding data protection, with focus moving away from providing US companies with a safe harbour for storing EU collected data in the US, to protecting European citizens from their data being misused in the US. “It [the US] has gone from an corporate enabler to a citizen protector - a paradigm shift in the essence of data protection,” added Van Eecke.