Access Alert: Behind the EU-US Privacy Shield – What is ‘Safe Harbour 2.0’?

The 'EU-US Privacy Shield' is hailed as 'Safe Harbour 2.0', but hurdles remain, and even clearing them is no guarantee of a harmonious data-transfer environment for tech companies. Our experts bring you up to date.

EU and US negotiators reached a non-legally-binding agreement on 2 February on a new mechanism for legal data transfers across the Atlantic – the ‘EU-US Privacy Shield’ – to replace the Safe Harbour agreement, which the European Court of Justice (ECJ) ruled invalid in October 2015.

What’s in the Agreement?

  1. A right of redress for EU citizens through various dispute mechanisms, including a new, last-resort arbitration entity (to be independent of US agencies)
  2. Strong and clear safeguards for personal data protection and oversight of those US agencies
  3. A US Department of State ombudsman for EU citizens’ data concerns
  4. Provision for annual joint review of the agreement
  5. Sanctions for non-compliant companies (including removing offenders from the list of authorised data handlers).

What’s Next?

The text is being finalised, but it must be sent to the Article 29 Working Party (WP29), a body comprising Europe’s data protection authorities, by the end of February. WP29 will then distribute it to its members and assess whether the Privacy Shield would bring all EU-US data transfers up to the standard required by the ECJ. This determination will come in April at the latest, at the same time as a judgement on other mechanisms for data transfer, such as binding corporate rules and model contracts.

It will also require approval from the College of Commissioners. This could take up to three months, during which time companies will need to continue using the alternative measures. The US Department of Commerce will require a few weeks to determine implementation procedures and institute an ombudsman.

What will WP29 Look For?

WP29 will be asking whether the Privacy Shield meets four criteria:

  1. Processing should be based on clear, precise and accessible rules.
  2. Necessity and proportionality with regard to the legitimate objective pursued need to be demonstrated.
  3. An independent oversight mechanism should exist that is both effective and impartial.
  4. Effective remedies need to be available to the individual.


  • The risk of enforcement is suspended. While action from individual member states cannot be ruled out entirely, the WP29 statement on the new agreement states that model contracts and binding corporate rules are still sufficient for the time being.
  • Companies will need to recertify. Details of new obligations are not yet fully known but companies will need to publish their data-protection procedures and those with European HR data will need to comply with the forthcoming WP29 decision.
  • It will be months before companies can make transfers under the agreement. Even if recertification is swift, WP29 isn’t expected to reach a judgement before April, while the process for a new adequacy decision from the Commission may take several months in its own right.
  • Even once agreed, it won’t be the end of the story. The ECJ has made it clear it will examine the Privacy Shield and other transfer mechanisms individually. Complaints against model contracts are already underway in several EU member states, and the new agreement itself will (probably) be challenged in future.

Related Articles

EURACTIV Virtual Conference: Humans and Machines Working Together

EURACTIV Virtual Conference: Humans and Machines Working Together

A period of rapid transformation is dawning, but what legal and ethical questions does this paradigm shift raise? On 25...

1 Mar 2021 Opinion
Access Alert: President Biden Signs Executive Order to Review Global Supply Chains in Key Industries

Access Alert: President Biden Signs Executive Order to Review Global Supply Chains in Key Industries

On 24 February 2021, U.S. President Joe Biden signed an executive order to review the global supply chains used by...

25 Feb 2021 Opinion
The European Commission Launches Process on Dataflows to the United Kingdom

The European Commission Launches Process on Dataflows to the United Kingdom

The European Commission has launched the process towards the adoption of two adequacy decisions for personal data transfers to the...

25 Feb 2021 Opinion
EU ePrivacy Regulation: Objectives and Ramifications

EU ePrivacy Regulation: Objectives and Ramifications

The ePrivacy Regulation (formally known as Regulation of the European Parliament and of the Council concerning the respect for private...

15 Feb 2021 Opinion