August 8, 2016

As previously reported in N2K, the European Commission has now issued its formal decision that the EU-US Privacy Shield provides adequate protection to allow personal data to be transferred to the US.  The scheme became operational on 1 August.

In a blog post dated 4 August 2016, Steve Wood, Interim Deputy Commissioner, advises that organisations still relying on Safe Harbour as the legal basis for transferring personal data to the US need to review their position.  The law says that data can only be transferred with adequate protection and Safe Harbour is no longer considered to give that protection, he says.  Further, “Doing nothing is not an option”.

Looking to use the Privacy Shield instead is one approach, Mr Wood says, and a good first step is to see whether the organisations you transfer data to in the US are looking to become part of the Privacy Shield scheme.  The Department of Commerce in the US, which will oversee certification under the scheme, has launched a dedicated website that offers advice to businesses: https://www.privacyshield.gov/article?id=How-to-Verify-an-Organization-s-Privacy-Shield-Commitments.  It is important to remember, Mr Wood says, “if the company you want to transfer data to is not certified, you cannot rely on the Privacy Shield”.

There are other ways to legally transfer personal data to the US as well.  Standard Contractual Clauses and Binding Corporate Rules can be used, for example.

The ICO says that it will also be updating its guidance on international transfers soon to cover the Privacy Shield.

Any transfers that continue solely under the Safe Harbour framework will breach the eighth data protection principle, and there could be circumstances where the ICO would contemplate enforcement action, in line with the ICO enforcement policies, Mr Wood says.  “Of course, we appreciate that organisations will need time to make the relevant changes, but the key is not to delay”, he says.

Mr Wood reminds readers that the Article 29 group of EU data protection authorities, of which the ICO is an active member, has given its collective view on the new agreement.  The group was clear that it was important to have an annual review process to make sure the system was working in practice.  This is something the US government and European Commission have committed to.

Mr Wood also says that while the Privacy Shield decision issued by the European Commission is legally binding, the area of international transfers is still not free from uncertainty.  There are cases currently being considered by the Court of Justice of the European Union that may also have an impact on other mechanisms for international transfers, and the CJEU might also be asked to consider whether Standard Contractual Clauses provide adequate protection for transfers to the US.  However, organisations can continue to rely on these clauses as well as other mechanisms in relation to international transfers.

In conclusion, Mr Wood says: “Despite the uncertainty, the ICO aims to provide guidance to organisations to help them remain compliant. We recognise that many organisations want to do all they can to comply”.  To read Mr Wood’s blog post in full, click here.