skip to main content
Close Icon We use cookies to improve your website experience.  To learn about our use of cookies and how you can manage your cookie settings, please see our Cookie Policy.  By continuing to use the website, you consent to our use of cookies.
Global Search Configuration

Ovum view


On February 2, 2016 the European Commission announced that it had reached a preliminary agreement with US institutions on the upcoming Privacy Shield – the deal that will regulate the transfer of EU citizens’ personal data in lieu of the now-defunct Safe Harbor. The new framework is likely to be more burdensome for businesses than the previous one, given the stricter checks on compliance and the regular reviews to which they will be subject. This might be received as bad news by businesses; however, it cannot be considered surprising given the direction taken by EU institutions in protecting privacy in recent years.

A greater burden for businesses

Following lengthy and complicated negotiations, the European Commission has agreed a preliminary deal with US institutions to replace Safe Harbor, which was effectively struck down by the European Court of Justice (ECJ) in October 2015. The agreement ensures that US companies handling EU citizens’ personal data will be able to carry on doing so.

The new framework will be more burdensome than the previous one because it includes transparency obligations and regular checks on how companies handle the personal data they transfer to the US. In addition, there will be annual reviews of the functioning of the agreement. This is likely to provide an incentive for all parties to make it work in practice and should be an effective way to ensure that the framework remains up to date.

The details of the deal should come as no surprise to any of the stakeholders, given that a review of the Safe Harbor agreement was imminent even before the ECJ’s decision. The EC and member states’ national Data Protection Authorities have been much less tolerant of privacy breaches for several years now. The drafts that will be set out in the coming months will reveal the details of the deal’s dispute resolution and redress mechanisms, which are intended to ensure that EU citizens’ complaints can be handled properly if they fall victim of data breaches. However, we must now wait for US legislators to pass a judicial redress act as promised – something they should do soon if they have the interests of US tech companies at heart.


Further reading

“Not much (yet) to celebrate for the EU on Data Protection Day,” TE0007-000981 (January 2016)

Data Protection Tracker: 4Q15, TE0007-000955 (December 2015)


Luca Schiavoni, Senior Analyst, Regulation

Recommended Articles


Have any questions? Speak to a Specialist

Europe, Middle East & Africa team - +44 (0) 207 017 7700

Asia-Pacific team - +61 (0)3 960 16700

US team - +1 646 957 8878

Email us at

You can also contact your named/allocated Client Services Executive using their direct dial.
PR enquiries - Call us at +44 788 597 5160 or email us at

Contact marketing -

Already an Ovum client? Login to the Knowledge Center now