Safe Harbor: update
Following the recent Safe Harbor case (see our article “The end of Safe Harbor”), the Information Commissioner’s Office has released a blog setting out the regulator’s views. This blog can be accessed here.
To recap, in the case of Schrems v Data Protection Commissioner, the CJEU ruled that the European Commission’s decision on the adequacy of the Safe Harbor framework was no longer valid – and therefore it was not appropriate for organisations to rely solely on Safe Harbor to meet the requirements of the eighth Data Protection Principle when transferring personal data to the US.
So how has the ICO reacted to this? The message from the ICO is threefold: 1) Don’t panic, 2) Take stock, and 3) Make your own mind up. But what does this mean in practice?
- 1. Don’t panic
The message from the ICO is reassuring. It will not be rushing to use its enforcement powers where Safe Harbor is currently used, so organisations should not be panicked by the recent decision of the CJEU into switching to other mechanisms for legitimising data transfers which may be less than ideal.
- 2. Take stock
The ICO recommends organisations ask themselves: What personal data is your business is transferring outside the European Economic Area? Where is it being transferred? What arrangements are in place to ensure personal data is adequately protected? If you are currently using Safe Harbor, what alternative mechanisms might you use if there is no progress towards a new (safer) Safe Harbor?
- 3. Make your own mind up
The ICO notes on its blog that “… businesses in the UK don’t have to rely on Commission decisions on adequacy. Although you won’t get the same degree of certainty, UK law allows you to rely on your own adequacy assessment.” Whether this is an appropriate avenue depends on what personal data you are transferring and to whom you are transferring it.
This message from the regulator is helpful in that suggests organisations will be given time to adapt to the new situation. However, that doesn’t mean organisations should be complacent or do nothing. There remains considerable uncertainty surrounding data transfers to the US and so organisations should act now to evaluate what personal data they are transferring outside the EEA and whether the safeguarding arrangements are adequate, as well as any contracts that are likely to be affected by the Safe Harbor ruling.