09 Sep 2016

Privacy Shield replaces Safe Harbor

The 1995 EU Data Protection Directive was an important initiative, designed to protect an individual’s privacy and prescribe how information about individuals is stored and used.  This resulted in similar Data Protection standards across the EU, including the Data Protection Act in the UK in 1998.

With the rise of the internet, this legislation was timely. In order to ensure that personal data on EU citizens stored outside of the EU met the minimum standards required by the EU Data Protection Directive, any software used in the EU but based overseas had to demonstrate a similar level of compliance.

Most of the world’s technology services are based outside the EU, especially in the USA. As a result, an international standard called ‘Safe Harbor’ was developed. In 2000 this was recognised by the EU as complying with the EU Data Protection Directive.

Organisations in the EU could store personal details outside of the EU as long as the service met this standard.  

Data Protection laws are due to be tightened even further next year in the EU and UK

This development was more important than many people realise. Companies whose services many of us use every day, such as Microsoft, Facebook, Dropbox, Apple, Google and Twitter, will store much of their data outside the EU.

Also, most organisations are increasingly using cloud services – many of which are based overseas - for their email, file storage and surveys. However, following Edward Snowden’s leak, which revealed how easy it had been for USA public authorities to access private data from Safe Harbour compliant companies, the European Court of Justice ruled that Safe Harbour no longer met the required EU standards.

This means that many organisations may have to stop using and remove personal data from Safe Harbour compliant companies, which will take a huge amount of reorganisation. For example, businesses may have to stop using services like Dropbox, MailChimp and SurveyMonkey. Organisations like unions and LGBT groups would also have to be much more careful about how they use social media as well, as information such as union membership or sexual orientation is deemed as highly sensitive under data protection regulations.

To avoid this headache, and ensure that the required protections are provided, a new standard has been drawn up called ‘Privacy Shield’. Privacy Shield tightened up the requirements around access to personal data, and came into force in July 2016.

So far, only a fraction of Safe Harbour companies have signed up, but it is expected that many more will sign up soon. Google, Microsoft and Salesforce are three of the most well-known early adopters.

Data Protection laws are due to be tightened even further next year in the EU and UK. Even with the Brexit vote, the UK cannot afford to fall behind in this area if it is to grow as an international digital economy. So, it’s unlikely that the UK will skimp on these standards.

There are complaints about the new Privacy Shield standard. Some EU countries abstained from the vote, and some privacy advocates don’t believe it has gone far enough. If you work with the personal data, be aware of these changes.

Check the website of any services you want to use - if they store data outside the EU, then check to see if they meet this new standard. The full list can be seen at, but be aware that some services that have recently signed up, such as Google, are yet to be added to this list.

Add new comment

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

Enter the characters shown in the image.