The Interim Deputy Commissioner at the Information Commissioner’s Office (“ICO”), Steve Wood, has published a blog reminding organisations of their obligations when transferring personal data to the United States, pursuant to the case brought by Max Schrems in 2015, which led to the Safe Harbor framework being declared immediately invalid. Wood reminds organisations that continued reliance on Safe Harbor as a means to provide an adequate level of protection for the rights and freedoms of data subjects “is not an option.” Although it is accepted that implementation of the required changes may take time, the ICO, in certain circumstances, will contemplate enforcement action against companies that fail to comply with the provisions of the Data Protection Act 1998 (“DPA”). It is recommended that organisations do not delay.
One method of providing an adequate level of protection, and thereby complying with the provisions of the DPA, is to transfer personal data to Privacy Shield certified companies. Adopted 12 July, the Privacy Shield framework replaces Safe Harbor and introduces stronger protections for personal data, such as greater transparency requirements and more robust redress mechanisms. On its adoption date, the Privacy Shield entered into force immediately in the EU. In the United States, it became effective 1 August, and since then, several U.S. organisations have certified to the framework. Other options include the implementation of the EU Model Clauses and Binding Contractual Rules.
Wood, however, warns of uncertainty in the law governing international transfers. He highlights the report on the Privacy Shield published by the Article 29 Working Party, and the fact that several cases are currently being considered by the Court of Justice of the European Union, which may affect the current legal bases for international personal data transfers, and lead to the scrutiny of the other mechanisms for international transfers, e.g., the EU Model Clauses. The collapse of Safe Harbor certainly left choppy waters in its wake, and organisations would do well to consider the guidance and materials provided by both the ICO and the U.S. Department of Commerce.