Insights
Keep up to date with our latest insight pieces, news and industry developments. See below for the latest posts or use the categories to hone your search for stories of interest.
Rather listen? The WABChats Podcast provides engaging and informative conversations with contacts, clients, advisors and friends of White & Black Limited. Listen Now.
EU-US Privacy Shield: “Doing nothing is not an option” says UK regulator
With the new EU-US Privacy Shield framework in force from 1 August 2016, the UK Information Commissioner’s Office blog has summarised the current position for transfers of personal data to the United States.
Privacy Shield has replaced the previous “Safe Harbor” regime, which was overturned by the Court of Justice of the European Union (CJEU) in the Schrems judgment of October 2015. It was decided that the US did not offer an adequate level of protection of personal data. This meant that, since October 2015, businesses have not been able to rely upon Safe Harbor as a means for complying with data protection laws when transferring personal data to the US.
What businesses should be doing now
The ICO emphasises that businesses which transfer personal data from the EU to the US need to act to ensure that they are compliant with the new regulatory landscape. This is because any transfers of personal data that continue solely under the Safe Harbor framework will be in breach of the EU data protection laws, as well as domestic laws such as the UK Data Protection Act 1998.
Before relying on Privacy Shield, a business will need to check whether the organisations it transfers data to in the US are looking to become Privacy Shield-certified (if not already). The US Department of Commerce has launched a website offering advice on how to verify an organisation’s Privacy Shield commitments.
If the US organisation is not Privacy Shield-certified, then an alternative basis for legally transferring data to the US will need to be used, such as standard contractual clauses or binding corporate rules. However, the ICO highlights that the validity of such mechanisms is not free from uncertainty, due to cases currently before the CJEU seeking to challenge the validity of standard contractual clauses.
Although understanding that businesses may need time to take the necessary steps to ensure compliance, the ICO says that to avoid any enforcement action, the key is not to delay in taking such steps.
The ICO expects to publish updated guidance on international data transfers in early autumn 2016.
WAB Comment
The ICO’s commentary reinforces again one of the key points from our previous update on Privacy Shield, namely that the ongoing legal challenges at an EU level to the established options for transferring personal data outside the EU mean that businesses wishing to make such transfers should remain vigilent and adaptive. In addition to considering how to ensure that transfers are legitimised under currently available options, such as Privacy Shield and Model Clauses, businesses should also consider how to respond if future CJEU decisions were to rule out their use.
In this respect, the General Data Protection Regulation offers hope for businesses struggling to find ways to legitimise data transfers as it will provide (once it comes into effect in May 2018) for a broader range of options for legitimising data transfers outside the EU and aims to make it quicker and cheaper to adopt the more comprehensive data transfer solution of Binding Corporate Rules.
If you would like to discuss the implications for your business, please contact our Data Protection specialists Phil Thompson, Nick Mathys and Nicholas Mitchell.
Disclaimer: This article is produced for and on behalf of White & Black Limited, which is a limited liability company registered in England and Wales with registered number 06436665. It is authorised and regulated by the Solicitors Regulation Authority. The contents of this article should be viewed as opinion and general guidance, and should not be treated as legal advice.