On July 12, 2016, the European Commission formally adopted the EU-U.S. Privacy Shield to replace the previously invalidated Safe Harbor Framework as an adequate method of transferring personal data from the European Economic Area to the United States. The U.S. Department of Commerce (DOC) will begin processing self-certification applications beginning August 1, 2016.

Since the European Court of Justice invalidated the Safe Harbor Framework on October 6, 2015 in Schrems v. Data Protection Commissioner, the European Commission and the DOC have engaged in intense negotiations to develop an acceptable replacement for Safe Harbor. On February 2, 2016, the parties announced that they had reached an agreement on the replacement, which they named “the EU-U.S. Privacy Shield,” and released details regarding the Privacy Shield on February 29, 2016.

Almost immediately, EU Data Regulators expressed concerns about the Privacy Shield and its lack of details and protections regarding the U.S. government’s ability to conduct mass surveillance of transferred data, the independence of the U.S. ombudsperson who will adjudicate complaints from EU citizens regarding misuse of their data, and the lack of protections regarding data retention and transfers to other companies. As a consequence, the European Commission and DOC resumed negotiations and agreed on the adopted version, which the parties contend addresses these concerns as well as the legal issues raised by the European Court of Justice in the Schrems decision. However Max Schrems, who brought the case that invalidated the Safe Harbor Framework, has announced that he will challenge the Privacy Shield, and the validity of the Privacy Shield is likely to be reviewed in the future by the European Court of Justice.

Next Steps for Employers

Between now and August 1, employers wishing to transfer personal data of EU employees to the United States should revise their data privacy policies and practices to comply with the Privacy Shield requirements. Employers currently using standard contract clauses to transfer personal data from the EU to the United States should consider self-certifying under the Privacy Shield as the Irish Data Protection Authority is challenging the adequacy of standard contract clauses.

On July 28, 2016, Data Privacy Practice Group member Grant D. Petersen (shareholder, Tampa) will present a one-hour webinar entitled, “Transferring HR Data Under the EU-U.S. Privacy Shield” Please visit the Ogletree Deakins website to register.


Browse More Insights

Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more
Glass globe representing international business and trade
Practice Group


Often, a company’s employment issues are not isolated to one state, country, or region of the world. Our Cross-Border Practice Group helps clients with matters worldwide—whether involving a single non-U.S. jurisdiction or dozens.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now