Whats the Difference Between Privacy Shield and Safe Harbor?

September 08, 2016

On August 1, 2016 companies located in the United States that had customers or employees in the European Union became subject to the new Privacy Shield regulations. Prior to Privacy Shield approximately 5,500 US companies had certified with Safe Harbor — the cross-border regulatory framework of yesteryear. It would have made been very simple for companies to switch from one to the other, had they been an identical list of requirements, but the reason Privacy Shield replaced Safe Harbor is because things needed to changed.

To help you and your company quickly get up to speed on the differences between Privacy Shield and Safe Harbor, we’ve put together this concise list, as well as our Privacy Shield assessment tool that will walk you through the entire process of certifying with Privacy Shield.


While there is some hold over from Safe Harbor in the new Privacy Shield requirements, its best not to think of them as the same thing. They do however share the same data protection principles; which include (1) Notice, (2) Choice, (3) Accountability for Onward Transfer, (4) Security, (5) Data Integrity and Purpose Limitation, (6) Access, and (7) Recourse, Enforcement and Liability.

The reason behind the change was the apparent lack of privacy protection for EU citizens, whose data was in the hands of US companies. So don’t be surprised that the Privacy Shield requirements add substantive and procedural privacy protections for EU individuals above and beyond what Safe Harbor had provided.

Below are the ways in which Privacy Shield is designed to better protect the privacy of customer and employee data. Just a warning, there are going to be a lot of lists.

(1) New Notice Requirements

Privacy Shield requires a number of new notifications that provide transparency for compliance as well as privacy protection practices. Any company certifying compliance with the Privacy-Shield framework must (1) include in its privacy policy a declaration of their commitment to the Privacy Shield principles, (2) a link to the Department of Commerce’s (DOC) Privacy Shield website, (3) and a link to the company’s website or a form for an independent recourse mechanism established to investigate consumer complaints.

Additionally, companies must inform consumers of (1) their rights to access their personal data, (2) the requirement to disclose personal data in response to a lawful request by public or law-enforcement authorities, (3) the identity of the enforcement authority with jurisdiction over the organization’s compliance with Privacy Shield, and (4) the organization’s liability in cases of onward transfer of personal data to third parties.

The EU is actively preparing the General Data Protection Regulation (GDPR), and the Privacy Shield notice requirements are designed to be correlated with this regulation.

(2) Implementation of Redress Mechanisms

Re dress (noun) — remedy or compensation for a wrong or grievance.

Privacy Shield provides several redress mechanisms for EU citizens who believes their personal data to have been misused by a US company. These redress mechanisms include (1) established timelines by which US companies must respond to complaints and (2) the ability to report complaints directly to the local EU data protection authority.

In the event a complaint is not resolved by a redress mechanism, Privacy Shield requires companies to commit to binding arbitration in order to resolve the complaint for the consumer.

(3) Heightened Onward Transfer Requirements

Onward Transfer refers to the use of third-party service providers such as Software as a Service (SaaS) vendors that may have access to customer or employee personal data. Similar to Safe Harbor, Privacy Shield has an Onward Transfer principle, however the Privacy Shield version of Onward Transfer requires US companies to enter into written contracts with all third parties that receive EU personal data. According to Privacy Shield these contracts must ensure that the third-party service providers are also complying with Privacy Shield principles in regards to safeguarding EU consumers’ personal data.

The Privacy Shield Onward Transfer principles apply to third-party controllers (i.e., third-parties authorized to use the information for their own purposes) as well as third-parties acting on behalf of the Privacy Shield organization (i.e., agents).

The Onward Transfer principles require (1) active management of service providers to ensure compliance and (2) careful contracting and due diligence of third-parties.


Companies certifying by September 30, 2016 are able to enter into a nine month grace period related to the Onward Transfer principle . Learn more here.


(4) Increased Oversight and Enforcement

Companies that fall under the requirements of Privacy Shield, due to the collection or use of personal data of employees or customers in the EU, must self-certify to with the Department of Commerce (DOC) that it adheres to the Privacy Shield Principles.

The Privacy Shield framework is written in legalize and can be difficult to work through. A simple tool to walk you through the Privacy Shield self-certification can be found here.

While an organization’s decision to self-certify is voluntary, once the self-certification has been submitted compliance is compulsory. An organization that self-certifies and publicly declares its commitment to comply must then fully adhere to the Privacy Shield principle or face the wrath of the DOC.


Whistic is an award winning risk assessment and analytics platform that makes it easy for companies to assess service providers or self assess against compliance and security standards (e.g. PCI, DSS). Headquartered in Orem, Utah at the heart of the Silicon Slopes, Whistic is the creator of the CrowdConfidence TM scoring algorithm that leverages the wisdom of crowds to assess the residual risk of sharing data with a vendor. Whistic was the recipient of the “Best Enterprise” award at the World’s Largest Startup Event: Launch Festival 2016.

For more information about Whistic, visit: https://www.whistic.com.

privacy privacy shield safe harbor standards saas

About the author

Whistic
Whistic

The latest insights and updates on information security and third party risk management.

Hate security reviews?
Want FREE AirPods?*

Offer valid for any decision-maker/influencer in relation to your company’s third-party risk management strategy. Company size must exceed 100 employees. Exclusions apply. Limit 1 pair per company.

Close