After being given an initial 31 January 2016 deadline, negotiators from both the EU and the US have seemingly finalised an agreement on a new safe harbour data transfer framework for personal data, following the judgement on the 6 October 2015 that the original Safe Harbour framework was invalid.

To view the official press release, please click here.

The EU-US Privacy Shield was presented to the College of Commissioners on 2 February 2016 and is set to then be presented to the Article 29 Working Party of the EU's Data Protection Authorities (DPAs).

Vice-President Ansip has claimed that the agreement has created a more robust mechanism with significant improvements.

Major changes under the EU-US negotiations are:

  • the creation of a special ombudsperson within the US State Department, who will be tasked with following up complaints and enquiries by individuals on national security access on referral from EU DPAs
  • an obligation, enforceable under US law, for US companies wishing to import personal data from the EU to comply with robust rules on how personal data is processed and how individual rights are guaranteed, and
  • written assurances, for the first time, that the access of public authorities for law enforcement and national security with be subject to clear limitations, safeguards and oversight mechanisms.

Further to this, the Privacy Shield details an annual joint review, between the European Commission and the US Department of Commerce, in order to regularly monitor the effectiveness of the Privacy Shield.

Safe Harbour did not necessarily provide a lawful data transfer mechanism for US companies not governed by the Department of Commerce (such as the financial sector) and it will be interesting to see whether or not the Privacy Shield is as much of a win-win.