Privacy Shield Update

End of Safe Harbor

The Consequences of the CJEU's
recent ruling for Organizations in Europe

Tell Me More!

What was Safe Harbor About?

Personal Data

EU organizations are not allowed to transfer personal data to countries outside the EU unless they guarantee adequate levels of protection. Safe Harbor provided a mechanism companies to transfer personal data from the EU to the USA.

Over 7,000 Companies Took Part

The European Commission published a decision in 2000 that set up Safe Harbor. Thousands of companies, including the internet giants Google, Facebook, Apple and Amazon, took part.


The Framework relied on US companies "self-certifying" that they complied with the data protection standards required.

The CJEU's Ruling

The Court of Justice of the European Union (CJEU) ruled that the Safe Harbor Decision on data transfers to the US was invalid in a judgment dated 6 October 2015.

It also ruled that any future Safe Harbor Agreement 2.0 would not provide blanket immunity for any data transfers. National supervisory authorities are entitled to examine independently whether the transfer of a person's data to non-EU state complies with EU law.

The Instigators

Max Schrems is a Austrian privacy activist. He's campaigned against Facebook in particular due to alleged privacy violations.

In 2014, he filed a complaint to the Irish Data Protection Commissioner in respect of Facebook. When the Data Protection Commissioner rejected the complaint, he applied to the Irish High Court for judicial review. The High Court made a preliminary reference to the CJEU, resulting in the latter's ruling striking down the Safe Harbor Framework.

Edward Snowden is an American whistleblower who leaked documents detailing global surveillance programs run by the NSA.

In the case brought by Max Schrems, the Irish High Court stated, "the Snowden revelations demonstrate a massive overreach on the part of the security authorities, with an almost studied indifference to the privacy interests of ordinary citizens. Their data protection rights have been seriously compromised by mass and largely unsupervised surveillance programmes".

Why was Safe Harbor problematic?

The Snowden revelations showed systematic mass surveillance on the part of US Intelligence.

Is Your Data Safer in the EU?

EU Law provides for safeguards and legal recourse.

What About the Alternatives such as Model Clauses or Binding Corporate Agreements?

Google and Facebook have stated that they are not affected by the Safe Harbor ruling because they have alternative arrangements in place such as model clauses or binding corporate agreements. Here's what the data consultants at Castlebridge Associates said about alternatives to Safe Harbor:

But, in reality, Model Clauses to cover transfers to the United States are, on foot of today's CJEU ruling, as useful as a Chocolate Teapot... perfectly fine until the heat comes. (Note: Binding Corporate Rules and others are in the same boat!)

What is the EU-U.S. Privacy Shield?

The EU-U.S. Privacy Shield is designed to replace the now-defunct Safe Harbor Framework. In summary it provides the following:

More Redress Possibilities

The EU-U.S. Privacy Shield provides that companies must reply to complaints from individuals within 45 days. Provision is also made for free-of-charge Alternative Dispute Resolution. Finally, as a last resort, there will be an arbitration mechanism to ensure an enforceable decision.

U.S. Government Promises

The U.S. will provide written assurances that any access of public authorities to public data will be subject to clear limitations, safeguards and oversight mechanisms. The U.S. Authorities will affirm that indiscriminate or mass surveillance will not take place

Annual Joint Review Mechanism

There will be an annual joint review mechanism for monitoring the functioning of the Privacy Shield and the U.S. commitments, including as regards access to data for law enforcement and national security purposes.

Independent Viewpoints on the Privacy Shield Agreement

I have an incredible feeling of de ja vu. And a suspicion we'll be back at the drawing board before long. The text I've seen, while progress to an extent, doesn't appear to address key issues and will inevitably be challenged by an DP authority, an EU citizen, or the Parliament.
Even if Privacy Shield was bulletproof, it still doesn't apply to data processors outside of the FTC's remit. And as the Privacy Shield text was negotiated against the Directive instead of the Regulation that is replacing it, we will inevitably wind up faced with a renegotiation within the next 2 years or so. The ultimate fix lies not with the EU but on the US side. Legislative reform is inevitable to avoid repeating cycles of uncertainty.

The WP29 notes the major improvements the Privacy Shield offers compared to the invalidated Safe Harbour decision.
Given the concerns expressed and the clarifications asked, the WP29 urges the Commission to resolve these concerns, identify appropriate solutions and provide the requested clarifications in order to improve the draft adequacy decision and ensure the protection offered by the Privacy Shield is indeed essentially equivalent to that of the EU.

Can EU Organizations Protect Their Customers' Personal Data?

Until the USA offers effective safeguards,
it remains unsure whether transfers of personal data to the USA are safe.

These Companies Don't Answer to the NSA

European Alternatives to Common SaaS Categories

Organizations across the EU need to be able to take advantage of the benefits of software as a service and cloud computing in order to stay competitive in the global economy. That's why we've put together a list of EU-based companies that will only host your data in Europe.


Project Management Software


Personal Email

Hosting on Steroids


Online Sales Management Software


Messaging and Feedback Platform


Attribution and Analytics for Apps


Wireframing and Prototyping App


Platform as a Service

Personal Email


Live Chat for Website Support


Manage a Community


Create Online Forms


Online time tracking tool


Easy Email Marketing

Smart Survey

UK's Leading Online Survey Tool


End-to-End Encrypted Cloud Storage


Email Marketing



R2 Docuo

File Sharing and Workflow Management


Cloud Storage and Collaboration

chartmogul homepage


Build a better subscription business


Email service with a focus on privacy

End of Safe Harbor: The Consequences of the CJEU's recent ruling.

This website includes links to third party websites controlled and maintained by others. We have no control over, or responsibility for, the content of any such websites.
Privacy Policy

Contact Us

This web site is provided by:
Planio GmbH
Rudolfstr. 14, Berlin, Germany
Fax: +49 (30) 577 0000-99

Sitz der Gesellschaft: 10245 Berlin, Deutschland
Vertretungsberechtiger Geschäftsführer: Jan Schulz-Hofen, M.Sc.
Registergericht: Amtsgericht Charlottenburg (Berlin)
Registernummer: HRB 130617 B
Umsatzsteuer-Identifikationsnummer: DE214836735

About Us

Planio is an award winning project management and collaboration tool for developers. We're based in the European Union and we take your data security and privacy very seriously. So we built this site.