Following the approval of the EU-US Privacy Shield on 1 August 2016, the ICO has published a blog summarising the “what, why, and how” of transferring data from the UK to the USA.
Whilst it remains the case that:
transfers to the USA are “adequate” if the organisation receiving the personal data is certified under the EU-US Privacy Shield.
The ICO makes it clear that any organisation still relying on the predecessor to the EU-US Privacy Shield, the Safe Harbor scheme, to transfer personal data from the UK to the USA needs to review their position. Seeking to continue to rely on the Safe Harbor scheme on its own will mean that an organisation is acting in breach of the Data Protection Act.
As a first step, the ICO recommends that any organisation looking to transfer data to the USA should ensure that the receiving organisation is certified under the EU-US Privacy Shield – if the receiving organisation is not certified you will need to rely on other ways to legally transfer the personal data to the USA.
At the present time, these include the model contractual clauses and binding corporate rules. However, the ICO is aware that such methods, whilst currently valid, are not free from uncertainty. This is not least because the model contractual clauses have been referred to the EU court by the Irish data protection regulator as to whether these clauses provide the adequate level of protection for international data transfers.
The ICO intends to issue guidance for organisations on international data transfers early in the Autumn – watch this space.
Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at lmonro@foxwilliams.com