Safe Harbor to Privacy Shield

Safe Harbor to Privacy Shield

As of December 2015, the European Parliament, Council and Commission have approved the rules associated with the General Data Protection Regulation to replace the 1995 Data Protection Directive within the European Union (EU). This becomes an important consideration for companies based in the United States and other countries due to a fundamental change with regard to the regulation. The EU-US Privacy Shield complements this to set expectations for how data will be treated when it flows across the atlantic.

What has Changed? – Specifically, any company doing business with a citizen of the EU while the person is on its soil, will be held accountable to these rules defined by the EU Commission. However, each company’s accountability will be to their respective country’s Supervisory Authority. This of course requires the country to have this Authority in place and enforceable laws for businesses to understand. This applies to personal data as documented by the EU, which is defined as follows:

“Personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, your posts on social networking websites, your medical information, or your computer’s IP address. The EU Charter of Fundamental Rights says that everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet.”

Other key changes for businesses are:

  • Simplified transactions for companies doing business in the EU due to a consistent set of data protection rules across all EU countries
  • One Supervisory Authority for each country for accountability purposes
  • Consistent rules will be built into products to promote privacy-friendly innovation

Additionally, this changes the world for consumers, such that it provides:

  • Accessibility to a person’s own data in a clear and understandable way
  • The right to data portability from one service provider to another

Assuming this is finalized as scheduled in the spring of 2016, it will become law at the same time in 2018. The GDPR has many more aspects to it as defined in the full document, but this highlights a few considerations for US companies that have a presence in the EU or do business with EU citizens. Ultimately, it will cause the US to consider what role its corporations will play in the protection of data associated with EU citizens.

Lastly, the EU-US Privacy Shield was constructed to regulate trans-atlantic data flows between EU and US companies and protect the rights of EU citizens when their data are being processed by US companies. The Privacy Shield replaces Safe Harbor and provides new parameters for US companies processing data containing information about EU citizens.

A Marketer’s Perspective – While these changes mostly affect companies and consumers located in the EU, the subtleties affecting the US are important for selected businesses. Professionals will be able to guide your company as to how these changes affect your company and whether changes are required to prepare for compliance with the regulation. However, a few questions to consider are:

  • Does my company sell or market to companies or citizens within the EU?
  • Does my company transact business with citizens within the EU?
  • Does my company share data with entities where EU citizen data are being exchanged?

Depending upon your answers to these questions and formalization of the agreement by the US to comply, you may need to adjust marketing policies and procedures. More to the point, marketers may need to be cognizant of how data under the scope of this prospective law is captured, shared and exchanged.

Real Applications – Given the status of the GDPR and Privacy Shield for the US and EU, there is more to come. If finalized, the Federal Trade Commission will be responsible for enforcing the privacy statements made by US companies needing to process EU data. Stay tuned to what the future holds as the final result may be a minimal change or set the stage for more meaningful transformation well beyond the boundaries of the EU.


Rita Heimes, Gabriel Maldoff & Anna Myers for, “Top 10 operational impacts of the GDPR”,  International Association of Privacy Professionals, January 28, 2016. Web. February 4, 2016.

“General Data Protection Regulation”, Wikipedia, January 25, 2016. Web. February 4, 2016.

“Agreement on Commission’s EU data protection reform will boost Digital Single Market”, European Commission, December 15, 2015. Web. February 4, 2016.

Stephen Dockery, “EU Data Law Shows Way Forward for Next Safe Harbor Agreement”, Wall Street Journal, December 18, 2015. Web. February 4, 2016.

“EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield”, European Commission, February 2, 2016. Web. February 4, 2016.

“Statement of FTC Chairwoman Edith Ramirez on the EU-U.S. Privacy Shield Agreement”, Federal Trade Commission, February 2, 2016. Web. February 4, 2016.

“EU-U.S. Privacy Shield”, Federal Trade Commission, February 2, 2016. Web. February 4, 2016.