Following the Article 29 Working Party’s announcement earlier this month, the UK’s Deputy Information Commissioner yesterday published a blog summarising the ICO‘s view of the world.
There are a few key points to note:
- The ICO acknowledges that there remains uncertainty on the effect that the Schrems decision will have on the use of other data transfer mechanisms approved by the European Commission, such as model clauses and binding corporate rules. As I’ve noted in previous blogs, those other transfer mechanisms do not provide any greater protection against the concerns raised by the ECJ.* The ECJ’s decision might also impact on the Commission’s decisions that certain third countries provide an adequate level of protection.
- The ICO takes the view that whilst the ECJ struck down the decision approving Safe Harbor, the Safe Harbor scheme still provides a measure of protection for personal data. For example, as part of a finding of adequacy (more on that below).
- The ICO will not be rushing to use its enforcement powers whilst there remains so much uncertainty. The ICO will be working with its fellow national data protection authorities to review the wider impact of the decision and provide a common approach from regulators across the EU.
What does the ICO recommend data controllers should be doing?
The ICO’s advice is summed up in three points:
- Don’t panic – as noted above, the ICO is still reviewing the impact of the Schrems decision on other data transfer mechanisms. Given the ICO’s message on enforcement, data controllers should not rush to adopt other transfer mechanisms that may turn out to be less than ideal.
- Take stock – in the meantime, data controllers should work out what data transfers they have in place, what data is involved and what alternative arrangements could be used in place of Safe Harbor if no progress is made on a replacement scheme.
- Make your own mind up – finally, the ICO reminds data controllers that under UK law they have the option of making their own finding of adequacy for the purposes of the eighth principle, taking into account the nature of the data and the steps taken to ensure adequate protection for the rights and freedoms of data subjects.
I think this last point is unhelpful – at least in its current form. The ECJ made clear in its decision that its concern was focussed on the surveillance powers of the US Government, which it considered meant that there was not an adequate level of protection for the rights and freedoms of data subjects (the requirement of the eighth principle).
Given the basis on which the ECJ has struck down Safe Harbor, it is difficult to see how any data controller could now confidently make a finding of adequacy in relation to a US data transfer. It does not matter what diligence is done or what contract terms are put in place – those surveillance rights will continue to exist.
If this is to be a realistic option for data controllers then the ICO will need to clearly explain the situations in which it considers such a finding could be made. For example, is the ICO saying that incidental, ad-hoc and small scale data transfers in the course of the provision of IT support might be okay, whereas the use of a US based datacentre is not?
Safe Harbor 2.0
As the ICO says:
We can’t create legal certainty where there is none but we will continue to work with our European counterparts…to ensure…that we’re all delivering a single and sensible message.
It is clear that the ICO and the other national data protection authorities are hoping that the new data transfer pact being discussed between Europe and the United States (AKA Safe Harbor 2.0) will provide the solution. The ICO asks businesses (in particular multi-nationals) to urge member states, the European Commission and the US authorities to push this forward.
On Monday, Commissioner Jourova announced that the European Commission had “agreed in principle” with the US on a new pact for trans-Atlantic data transfers. However, it is clear that work still needs to be done to ensure the new pact satisfies the requirements of the ECJ. That means clearer controls on access to the personal data of Europeans by US intelligence services, greater transparency, and stronger oversight by the US Department of Commerce.
Commissioner Jourova anticipates significant progress being made on these points by mid November. Watch this space.
Brodies will be running a series of data protection update seminars at our offices in Aberdeen, Edinburgh and Glasgow next month, covering Safe Harbor, changes to EU data protection laws and other topical issues. To find out more and sign up visit our BInformed page.
*The German data protection authorities have now said that they are “doubtful” that model clauses and binding corporate rules are a valid method of transferring personal data to the US and will not authorise any new transfers.
On October 28, 2015