The European Commission Decision on the adequacy of the protection afforded by the EU-US Privacy Shield was published in the Official Journal on 1 August 2016 and the US Department of Commerce commenced accepting Privacy Shield certifications from US companies on that date.
The Privacy Shield was negotiated between the European Commission and the US Department of Commerce following the European Court of Justice ruling in October 2015 which invalidated the Safe Harbour regime. Although only time (and litigation) will tell how effective the Privacy Shield will be, for the time being, it does at least provide some clarity and a new framework which can be relied upon.
Numerous organisations transferring data between the EU and the US under Safe Harbour (including personnel data) have been “sitting tight” waiting for clarity (irrespective of the fact that they were technically in breach of the Data Protection Act 1998 (“DPA”) during this period). It is vital that they now consider the new Privacy Shield regime, or implement an appropriate cross border data transfer agreement.
The Information Commissioner’s Office (“ICO”) has made it clear that organisations still relying on Safe Harbour are in breach of the DPA – which carries the risk of enforcement action. There remains uncertainty about the use of mechanisms such as Binding Corporate Rules and Standard Contract Clauses (both understood to be acceptable mechanisms for transferring data) because of ongoing litigation and further guidance from the ICO is expected. In the meantime all organisations should be seeking to ensure that transfers of data are properly protected.