4 August 2016
It’s more than two years since a then little-known privacy campaigner decided to dispute Facebook’s compliance with EU data protection laws.
Max Schrems’ case would travel from Dublin to Luxembourg, and ultimately have ramifications from Stockholm to Silicon Valley.
The issue here was the eighth data protection principle, which requires organisations that want to transfer personal data outside of the EU to assess whether that country ensures an adequate level of protection for individuals. Some countries are deemed adequate by virtue of a decision by the European Commission. Transfers can also comply with the eighth principle by using mechanisms such as binding corporate rules or standard contractual clauses. Whilst the US is not on the list of countries deemed ‘adequate’, the European Commission did decide that transfers to the US would be adequate, so long as the organisations receiving the data were part of an agreement known as Safe Harbor.
That was until the Max Schrems case. The Court of Justice of the European Union removed the assurance that using Safe Harbor gave businesses, ruling that it did not provide adequate protection.
But the baton Safe Harbor carried has now been passed to the EU-US Privacy Shield, which places stronger privacy requirements on US companies signed up to the scheme (e.g. greater transparency of privacy notices) and gives stronger redress mechanisms for individuals. Draft documents on the Shield were published in February. The European Commission has now issued its formal decision that the Privacy Shield provides adequate protection to allow personal data to be transferred to the US and the scheme became operational from 1 August.
What does this mean for my organisation?
If your organisation is still relying on Safe Harbor as the legal basis for transferring personal data to the US, you need to review your position. The law says you can only transfer data with adequate protection, and Safe Harbor is no longer considered to give that protection. Doing nothing is not an option.
Looking to use the Privacy Shield instead is one approach. A good first step is to see whether the organisations you transfer data to in the US are looking to become part of the Privacy Shield scheme. The Department of Commerce in the US, which will oversee certification under the scheme, has launched a dedicated website that offers advice to businesses: https://www.privacyshield.gov/article?id=How-to-Verify-an-Organization-s-Privacy-Shield-Commitments. It is important to remember that if the company you want to transfer data to is not certified, you cannot rely on Privacy Shield.
There are other ways to legally transfer personal data to the US, too. Standard Contractual Clauses and Binding Corporate Rules can be used and again these aren’t the only options. More detail can be found in relevant ICO guidance.
The ICO will also be updating its guidance on international transfers soon to cover the Privacy Shield.
Why do I need to act?
Any transfers that continue solely under the Safe Harbour framework will breach the eighth data protection principle, and there could be circumstances where we would contemplate enforcement action, in line with the ICO enforcement policies. Of course, we appreciate that organisations will need time to make the relevant changes, but the key is not to delay.
What might happen next?
The Article 29 group of EU data protection authorities, of which the ICO is an active member, have given their collective view on the new agreement. The group was clear that it was important to have an annual review process to make sure the system was working in practice. This is something the US government and European Commission have committed to.
While the Privacy Shield decision issued by the European Commission is legally binding, the area of international transfers is still not free from uncertainty. There are cases currently being considered by the Court of Justice of the European Union which may also have an impact on other mechanisms for international transfers, and the Court may also be asked to consider whether Standard Contractual Clauses provide adequate protection for transfers to the US. However, organisations can continue to rely on these clauses as well as other mechanisms in relation to international transfers.
Despite the uncertainty, the ICO aims to provide guidance to organisations to help them remain compliant. We recognise that many organisations want to do all they can to comply.
We’ll keep you updated through our blogs and @ICOnews.
How can I get more information?
The ICO will be working to update guidance for organisations on international transfers, and we expect to complete that work early in the Autumn. We’ll also update the information we provide to the public through our website.
In the meantime, the Department of Commerce website offers factual information, while a guide for citizens has just been published by the European Commission.
Steve Wood is Interim Deputy Commissioner and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.