New Transatlantic Privacy Shield | KPMG Hungary
Share with your friends

New Transatlantic Privacy Shield

New Transatlantic Privacy Shield

The new framework regulating the transfer of personal data between the EU and the U.S. has been available as of 1 August 2016.


Related content

The new framework regulating the transfer of personal data between the EU and the U.S. has been available as of 1 August 2016. The new “Privacy Shield” replaces the old regime known as “Safe Harbor”. The regime may be useful for U.S. corporations with EU branch offices and having data centers in the U.S. The new regime is available for U.S. parent companies at the following website:

The Safe Harbor framework was adopted by EU Commission decision No. 2000/520/EC. The reason for creating the framework was the EU data protection legislation. The legislation only allowed the transfer of EU citizens' personal data to third countries if the regulations of that third country ensured adequate protection. Historically, the U.S. did not guarantee adequate protection. Therefore, under this regime, U.S. corporations undertook additional commitments. The regime operated with several flaws and under heavy criticism for over a decade, until the European Court of Justice invalidated the previous decision of the EU Commission last October. The regime was invalidated due to the excessively broad scope of data transfers allowed under the regime and the lack of appropriate warranties.

As a result, no data transfer has been legally possible to the U.S. since last October, with the exception of transferring data through model contracts, binding internal by-laws (and the relocation of data centers to the EU). Finally, the uncertain situation was ended by adopting the new EU-US agreement in July, 2016. The most important elements of the new regime are the following:

  • Annual joint review mechanism and stricter regulations
    One novelty of the regime is that the EU Commission and the U.S. Department of Commerce will annually and jointly monitor the privacy shield’s functioning and the additional commitments undertaken by the U.S. In order to ensure a higher level of transparency, the U.S. Department of Commerce will regularly review participating companies to monitor their compliance with the new regime. If a company does not comply with the regulations, it may face sanctions and also possible removal from the regime.
  • Clear safeguards on government access
    The EU Commission considers one of the greatest successes of the new regime to be the fact that for the first time, the U.S. undertook, via a legally binding document, to implement clear restrictions, safeguards and review mechanisms regarding the data access rights of U.S. authorities. The U.S. also undertook to refrain from mass or targeted surveillance. Any complaints submitted will be reviewed through an ombudsperson within the Department of State.
  • New possibilities for remedy
    The regime offers numerous accessible and affordable remedy possibilities in cases of data transfer violations. As a first step, complainants may resolve complaints directly with the company, whilst, alternatively, a free dispute resolution mechanism is also available. The complainant may also turn to its national data protection authority, which works together with its U.S. counterpart to investigate complaints. As a last resort, disputes may be settled by means of an arbitration mechanism.

We hope that the new regime will fulfill its purpose and simultaneously remedy the deficiencies of the previous regime, such as the lack of review mechanisms and enforceability, while also creating a more comprehensive legal environment.

Connect with us


Request for proposal