Data Protection clarity

The European Commission Decision on the adequacy of the protection  afforded  by the  EU-US  Privacy Shield was  published in the  Official Journal  on 1 August  2016 and the  US Department of Commerce commenced  accepting  Privacy Shield certifications from US companies on that date.

The Privacy Shield was negotiated between the European Commission and the  US Department of Commerce following the European Court of Justice ruling in October 2015 which invalidated the Safe Harbour regime. Although only time (and litigation) will tell how effective the Privacy Shield will be, for the time being, it does at least provide some clarity and a new framework which can be relied upon.

Numerous organisations  transferring  data  between the EU and the US under Safe Harbour (including personnel  data)  have been  “sitting tight” waiting for clarity (irrespective  of the fact that they were technically in breach of the Data Protection Act 1998 (“DPA”) during this period). It is vital that they now consider the new Privacy Shield regime,  or implement  an appropriate  cross border data transfer agreement.

The Information Commissioner’s Office (“ICO”) has  made  it clear that  organisations  still relying on Safe Harbour are in breach of the  DPA  – which carries the  risk of enforcement action. There remains uncertainty  about the use of mechanisms  such as Binding Corporate Rules and  Standard Contract Clauses (both  understood  to be  acceptable  mechanisms  for transferring  data)  because   of  ongoing  litigation  and  further  guidance  from  the  ICO  is expected.  In the meantime all organisations  should be seeking to ensure  that transfers  of data are properly protected.