On June 24, 2016, the European Commission announced that it had reached a final agreement with the United States on the terms of the EU-U.S. Privacy Shield, which will permit U.S. companies to transfer the personal data of European Union (EU) citizens to the United States in compliance with EU data protection laws. The terms of the final agreement address several concerns raised by EU regulators about the initial Privacy Shield agreement reached in February of 2016, including concerns about the U.S. government’s ability to conduct mass surveillance of transferred data, the independence of the U.S. ombudsperson who will adjudicate complaints from EU citizens regarding misuse of their data, and the lack of protections regarding data retention and transfers to other companies. 

The new agreement now includes:

  • a written commitment from the White House providing that intelligence services can engage in bulk collection of data sent from the EU to the U.S. only under specific and limited preconditions;
  • a commitment that the ombudsman will be independent from national security services; and
  • explicit data retention rules requiring companies to delete data that no longer meets the purpose for which it was collected.

While the final agreement has not yet been made public, it is anticipated that several key provisions of the initial agreement will remain unchanged.  

Impact of the Brexit Vote

With respect to companies transferring data from the United Kingdom (U.K.), the Brexit vote will not have any impact on the EU-U.S. Privacy Shield in the short-term, as Britain will not depart the EU until 2018 at the earliest. According to the U.K.’s information commissioner, the U.K. likely would adopt a similar program to the Privacy Shield after departing the EU to remain on equal footing with the EU.

Next Steps in the Implementation of the Privacy Shield

The revised agreement has been sent to the Article 31 Working Party, which is made up of representatives from the EU member states, for approval. The College of Commissioners is expected to adopt the agreement in a vote to be held in early July 2016.  U.S. companies will be able to use the EU-U.S. Privacy Shield for their data transfers shortly thereafter.


Browse More Insights

Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more
Glass globe representing international business and trade
Practice Group


Often, a company’s employment issues are not isolated to one state, country, or region of the world. Our Cross-Border Practice Group helps clients with matters worldwide—whether involving a single non-U.S. jurisdiction or dozens.

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now