Main Menu
Print PDF

EU Reaches Tentative Agreement with U.S. to Replace Safe Harbor

Cyber Law and Data Protection Law Alert | October 29, 2015
By: Randy Friedberg

On October 13, we wrote an alert concerning the October 6 European Court of Justice Ruling in Schrems v. Data Protection Commissioner in which the European Union (EU) - U.S. Safe Harbor for data transfer from the EU to the U.S. was invalidated. On October 26, the EU announced that it had reached an agreement in principle with the United States on a new data-sharing plan to replace the invalidated Safe Harbor.

The EU's Commissioner for Justice, Consumers and Gender Equality, VÄ›ra Jourová, gave a speech to the Committee on Civil Liberties, Justice and Home Affairs in which she said that the parties have resolved the controversy for now, but are still discussing how to ensure that the commitments they have made are sufficiently binding to fully meet the requirements of the EU.

She pointed out that the Court had noted self-certification, such as that provided by the Safe Harbor, may be acceptable so long as there are detection and supervision mechanisms. The U.S. has addressed these concerns, she noted, “by committing to a stronger oversight by the Department of Commerce, stronger cooperation with European DPAs and priority treatment of complaints by the Federal Trade Commission.” Commissioner Jourová stated that these commitments, “[w]ill transform the system from a purely self-regulating one to an oversight system that is more responsive as well as pro-active, and backed-up by significant enforcement, including sanctions.”

The European data protection agencies have given the U.S. and the EU until January 2016 to enter into a new agreement, and threatened to take action against U.S. companies transferring personal data from the EU if no deal is reached by then.

The full text of Commissioner Jourova’s speech may be found at:

We will continue to provide updates as developments warrant. For additional information, contact Randy Friedberg ( | 212.714.3079) or another member of the Cyber Law and Data Protection Group. 

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation and legal questions.
Back to Page