UPDATE, 02/03/2016: The European Commission has now published the legal texts that will put in place the EU-U.S. Privacy Shield.
When David Smith wrote about Safe Harbor back in October, he spoke about a critical few months that he hoped would see the emergence of Safe Harbor 2.0.
That process has taken a little longer than hoped, but after much activity in Brussels and Washington last week the European Commission announced the EU-US Privacy Shield. The Shield is intended to replace the Safe Harbor framework, previously recognised as providing adequate protection for personal data transferred from the EU to Safe Harbor member companies in the USA.
The Article 29 Working Party, which is the grouping of European data protection authorities including the ICO, has consistently called for the European Commission and USA authorities to conclude their discussions on a replacement for Safe Harbor by the end of January. That deadline was met (just). The group met in Brussels last week to assess the latest position, as we said we would do back in October. The statement released on the back of that meeting last week welcomed the fact that the negotiations had concluded and the process to analyse what is proposed can start soon.
It is too early to say whether the new Shield provides adequate protection for personal data passed from the EU to the USA. The Article 29 Working Party will provide an opinion to the European Commission about the Shield, as envisioned under Article 30(1)(b) of the Data Protection Directive. It will also continue its work in assessing whether other transfer tools, such as standard contractual clauses (SCCs) and binding corporate rules (BCRs) can act as effective safeguards for personal data transferred to the USA.
We’re very much aware that organisations have been seeking clarity about how they can transfer data to the USA in compliance with the Data Protection Act. Until the Article 29 Working Party has produced its opinion on the Shield, there is not any new guidance for organisations at this stage – they must wait until the process of assessing the Shield is complete and the European Commission has made a formal decision on adequacy.
We’re clear that organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA. Organisations should continue to take stock of the transfers they make and have a proper understanding of the legal basis, so that they are in a good position to act, should they need to. It may be useful to contact organisations in the USA to which you transfer personal data to highlight the possibility that the Shield may need to be considered in future.
The Article 29 statement mentions that data protection authorities will consider complaints about transfers under Safe Harbor. Our position remains the same as in October – whilst complaints can be considered the usual ICO regulatory policy will be applied. We will be guided by the risk posed to individuals and steps that can be reasonably expected of data controllers. We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome.
Some more detail about the issues and what we’ve said previously is now contained in this guidance note on the section on international transfers on our website.
|Steve Wood‘s department develops the outputs that explain the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.|