Earlier this month, the Article 29 Working Party (WP29) published its initial response to the European Commission's announcement on Privacy Shield.

In short, the WP29 stated that it needed to see more detail in order for it to assess the proposals. Meantime, the use of the EU Standard Contractual Clauses (SCCs) and binding corporate rules (BCRs) remains a valid basis for transferring personal data outside the EEA, but it was up to the individual data protection authorities (DPAs) to determine whether they would take action in relation to ongoing reliance upon Safe Harbor. You can read more on the WP29's response in our blogpost on the Privacy Shield announcement.

Last week the Information Commissioner's Office (ICO) set out its views and its current approach to enforcement in the UK.

What is the ICO's current position on Safe Harbor and international transfers?

The ICO's position is that organisations can continue to use SCCs and BCRs for data transfers to the USA until such time as the WP29 has otherwise determined that those tools do not provide adequate safeguards. Given that potential uncertainty over the future of SCCs and BCRs for US data transfers, organisations should continue to take stock of their data transfers to the US (and the basis upon which those transfers are made) so that they can act promptly in the event that action is required.

In relation to on going reliance on Safe Harbor the ICO states that its position remains unchanged from its initial statement in October:

Whilst complaints can be considered...We will be guided by the risk posed to individuals and steps reasonably expected of data controllers. We will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome.

In other words, the ICO seems to be saying that it will not be pushing to take enforcement action, but if a complaint is made then it will need to investigate that in accordance with its usual processes.

Organisations will therefore need to consider whether they take steps now to move away from any current reliance on Safe Harbor (noting that similar challenges may emerge with SCCs and BCRs) or do nothing pending the outcome of the WP29's review of Privacy Shield and hope that no complaints are raised against them in the meantime.

In deciding on strategy, organisations will need to look at how and where they are relying on Safe Harbor, the data involved, the privacy impact and the likelihood of a complaint being raised. Many organisations are likely to decide that the lower risk approach is to adopt SCCs for their US data transfers.

Making a finding of adequacy?

The ICO's interim guidance on international transfers emphasises that data controllers in the UK can make their own findings of adequacy in relation to transfers of data outside the EEA; they need not rely upon a European Commission finding of adequacy:

In the meantime Safe Harbor can still be seen as providing a measure of protection for data transferred from the EU to the USA but businesses should be aware that the certainty of an adequacy decision of the Commission has now been removed and they should make their own assessment of risk to compliance

Whilst that is true, as I've noted previously however, given the CJEU's fundamental criticisms of Safe Harbor, it is hard to see how a data controller could confidently make a finding of adequacy in respect of a data transfer to the United States that is based on the data importer's compliance with Safe Harbor.

The ICO notes that relevant factors include the nature of the data being transferred, the recipient and the steps that can be taken to mitigate the risks to individuals. It would be helpful if the ICO provided guidance on how these factors would apply given the CJEU's general concerns over government surveillance. However, given the ICO's current position on enforcement action in relation to Safe Harbor that seems unlikely.

What are other DPAs saying about Safe Harbor?

Not all DPAs are taking the same approach as the ICO.

Notably, the French DPA (CNIL) recently announced that it had given Facebook three months to rectify a number of alleged breaches of French data protection law, including the ongoing use of Safe Harbor as a basis for US data transfers. Whilst Facebook claims that its US data transfers no longer rely upon Safe Harbor, it shows that some DPAs are starting to take enforcement action over Safe Harbor, notwithstanding the uncertainty over the validity of alternative mechanisms and the options available.

If your organisation operates in multiple EU member states then it is important to understand the approach being taken in each country and how that might impact on your business.

You can read the ICO's latest (interim) guidance on international data transfers on the ICO's website. If you would like to discuss what steps your organisation should be taking, please get in touch.


Martin Sloan