What You Need to Know About the New EU-U.S. Privacy Shield


Network Safety Concept with Businessman Touching Closed Padlock as Symbol of Security. Internet Security Technologies. Password Access Protection.


On February 2, 2016, the much-anticipated agreement between the EU Commission and the U.S. outlining the framework for the transfer of personal data was finalized. Following the invalidation of the Safe Harbour rules by the European Court of Justice (ECJ) on October 6, 2015, the Commission issued a new guidance on November 6, 2015. According to this guidance, such entities could resort to other mechanisms to ensure adequate and secure protection for the transfer of such data to the U.S., including model clauses that would ensure such protection. However, many companies were apprehensive of such alternative methods due to the cumbersome nature of such guarantees.

According to a press release issued by the Commission, the new EU-U.S. Privacy Shield reflects the requirements set out by the ECJ’s ruling back in October, obligating U.S. companies to protect personal data transferred from European companies. Increased cooperation with the European Data Protection Authorities as well stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC) are among the requirements agreed upon.

Moreover, an ombudsman designated specifically for trans-Atlantic transfer of personal data is to be appointed to handle inquiries and complaints that European citizens may submit. The elements of the agreement clearly indicate that the EU Commission handled the negotiations with a firm hand, especially since the agreement seems to be sprinkled with typical European principles such as transparency, increased cooperation and an appropriate forum for redress, among other things. As the name of the agreement suggests, this time around, there was more emphasis on privacy, an area of focus which is near and dear to the EU.

Ultimately, the EU-U.S. Privacy Shield has replaced the Safe Harbour Agreement, and consequently any transfer of personal data between the EU and the U.S. is regulated by the new agreement, which ensures that U.S. companies importing personal data from the EU “will need to commit to robust obligations on how personal data is processed and individuals rights guaranteed.” This signifies that the alternative mechanisms suggested by the Commission as a reaction to the ECJ ruling will no longer be necessary, thus alleviating most concerns regarding the transfer of personal data.

  • 5
About Rachel Gauci

Rachel Gauci serves as Legal Counsel for Credorax, forming part of the legal team in the Malta office. She has over 3 years of experience in payment services legislation and anti-money laundering law.

Adv. Gauci holds a law degree from the University of Malta. Credorax, was the subject of the case study in her doctoral dissertation entitled, 'A Critical Analysis of the Payment Services Directive and its Practical Application'.

Prior to her role as Legal Counsel, Rachel was a Compliance Officer and an Anti-Money Laundering Legal Officer at Credorax.
Rachel provides legal advice on licensing requirements, contract negotiations, and any other ancillary issues concerning merchants, as well as legal advice concerning Credorax's core regulatory issues.
Connect with her: LinkedIn