Logo gray


On 29 February 2016, the European Commission presented the draft decision texts on the new framework for transatlantic exchange of personal data, i.e. the Privacy Shield, which was intended to replace the invalidated Safe Harbour agreement. Following the opinion of the European data protection authorities (Article 29 Working Party) of 13 April and the European Parliament resolution of 26 May 2016, the Commission formally adopted the Privacy Shield on 12 July 2016 and it has entered into force immediately after.

Since presenting the draft Privacy Shield in February, the Commission has made amendments to the decision texts to include additional clarifications and improvements. The European Commission and the United States agreed on additional clarifications on bulk collection of data, strengthening the Ombudsperson mechanism, and more explicit obligations on companies as regards limits on data retention and onward transfers. However, critics say that although the Privacy Shield gives better protection for personal data than Safe Harbour, it is still far from what the European Court of Justice has prescribed in its Safe Harbor decision.

The U.S. Department of Commerce has also started to operate the Privacy Shield. Once companies have had an opportunity to review the framework and update their compliance, they will be able to register at the Department of Commerce starting as of 1 August 2016. In parallel, the Commission will publish a short guide for citizens explaining the available remedies in case of breach of data protection rules.