Skip to the content


'Privacy Shield' to impact both sides of the Atlantic

Privacy Shield

The advances of the digital age have ensured that data security is one of the hottest topics for many businesses, whether they be in the UK, Europe, or the US.

Various high-profile headlines surrounding data breaches ensured that data security was one of the big talking points of 2015, but as the sophistication of technology increases, so too does the nature of security threats.

Privacy and security has ensured that international data transmissions have always been a problematic area for modern organisations on both sides of the Atlantic.

Unified response

Authorities in both the US and the European Union (EU) have already recognised the threat, as well as the need to work together in forming a defensive response.

The result was a blanket set of laws named "Safe Harbour", which allowed US companies to transfer the data of European citizens to the US, provided its destination had privacy protection in place that were in line with EU standards.

In place since 2000, the measures allowed large companies like Google and Facebook to carry out a self-certification process, promising to protect EU data stored on U.S. soil.

However, Safe Harbor was effectively ended by the revelations made by former National Security Agency contractor Edward Snowden, which when compounded with the Max Schrems case, sparked overwhelming concerns that the measures were largely inadequate in terms of offering the protection needed to stave off cyber threats.

Yet despite a new proposal being talked about for a number of months, it is only now that a replacement has been introduced, with the emergence of the 'Privacy Shield'.

What's different?

Much like Safe Harbor, Privacy Shield is the result of a joint effort between experts in the EU and US, but despite Safe Harbor being invalidated back in October 2015, the new measures are not intended to act as a replacement or even a refinement of it.

Speaking at a recent hearing on Privacy Shield held by the European Parliament's Civil Liberties, Justice and Home Affairs Committee (LIBE), Tiina Astola, commission director-general for justice and consumers, said the new law was “radically different from the old Safe Harbor,” and should be “assessed as a whole,” including the seven annexes that outline various commitments from US government departments and agencies.

Instead, Privacy Shield is being pushed as a representing a new deal entirely, dictating that data traveling internationally can, at the discretion of the data’s originator, be done so within the framework of the laws of either the destination for of its homeland.

For example, a Facebook user in Ireland may send their data to servers in the EU before they are then sent to California for Facebook’s home database to store and analyse whenever they need to.

In this case, Facebook would be able to decide for itself whether the data handle would fall under Irish, American or European law.

Data going from a someone under Privacy Shield to another third party must be subject to applicable terms that only allow data to be used in a way that is expressly permitted by the originator, subject to applicable privacy laws.


However, there already doubts over the effectiveness of the new rulings, with Isabelle Falque-Pierrotin, the chair of the Article 29 Working Party of EU member state data protection commissioners, stressing that more needed to be done in order “to ensure that there is not massive or indiscriminate access” to data that is sent to the US.

According to Bloomberg, Ms Falque-Pierrotin added there were doubts over whether there were enough privacy measures in place across the EU as a result of the draft of Privacy Shield decision seen by experts.

“We feel there is an absence of rules in the Privacy Shield on data retention,” she said.

There are also concerns over how such measures will fit in with the EU general data protection regulation that is poised to be observed by all companies handling data originating from the EU, no matter where the company happens to be based.

Ms Falque-Pierrotin continued by stating that Privacy Shield may well have enough about it to “set a standard” for other EU decisions when it comes to privacy protections in other countries, but urged authorities to remain cautious."