A safe(ish) harbor for data transfers to the US

Subscribe to Business Support news feeds


The EU has agreed a new mechanism, known as the EU-US privacy shield, to allow the transfer of personal data from the EU to the US in certain circumstances. This privacy shield replaces the now invalid Safe Harbor provisions.


The Data Protection Act 1998 (DPA), which is based on an EU Directive, prohibits the transfer of personal data from the EU outside the EEA, except in tightly defined situations. Until last year, many companies relied on the US Safe Harbor provisions to transfer personal data to the US.  In October 2015, the CJEU ruled in the Schrems case that the Safe Harbor provisions no longer provided adequate protection for individuals’ data, leaving companies who transfer personal data to the US in limbo.

New EU-US Privacy Shield

The European Commission has now negotiated a new mechanism with the US, known as the EU-US Privacy Shield. This operates like the Safe Harbor agreement, but includes new safeguards. The European Commission’s position is that personal data can be transferred from companies in the UK to US companies if they self-certify that they meet the standards set out in the Privacy Shield. 

Whilst there is still some debate over whether the Privacy Shield will withstand challenge, it is good news for companies who used to rely on the Safe Harbor provision. That said, you may want to wait for updated guidance from the Information Commissioner before opting to rely on it.

What about BREXIT?

When the UK leaves the EU, we will be in a similar position to the US in that EU organisations will be restricted in their ability to transfer personal data to UK companies. The UK will need to establish that we can provide ‘adequate protection’ for personal data transferred to us.

There will also be an effect on the transfer of data from other non EU countries who currently allow transfers of data to the UK on the basis that we are covered by EU data protection law.  

This is one of the many factors that point towards a post-Brexit UK which either signs up to comply with EU data protection law or puts in place new UK data protection laws which are very similar to it. 

And don’t forget…new EU data protection law on the horizon

Note that there is a significant change on the horizon to EU data protection law. The General Data Protection Regulation, which is due to come into force in May 2018, makes wide reaching changes to the current regime which will affect HR activities and processes.

To find out what the GDPR and BREXIT mean for UK HR, click here to book your place on EEF’s November seminars, The new data protection law: impact on HR processes and employee records. The content of these seminars have been updated to reflect the BREXIT vote.


Legal Compliance Lead

Other articles from this author >
Barometer spot HR Barometer 2016

Download our report about the key challenges facing HR professionals in UK business.

Get your free copy>
business-support Practical HR and employment law advice, guidance and support

We handle over 52,000 queries each year

We are on hand to help you manage the pressures of workplace dynamics, implement legislative reforms and guide you to leverage talent to develop your workforce

Read more >
Teacher2small Develop your people

Discover our range of open and tailored training and development programmes.

Read more >
Online payments are not supported by your browser. Please choose an alternative browser or make payments through the 'Other payment options' on step 3.