Following the approval of the EU-US Privacy Shield on 1 August 2016, the ICO has published a blog summarising the “what, why, and how” of transferring data from the UK to the USA.
Whilst it remains the case that:
- the eighth data protection principle requires organisations that wish to transfer personal data outside of the EEA to ensure an adequate level of protection for data subjects; and
- the European Commission has not deemed the USA as providing such adequate level of protection,
transfers to the USA are “adequate” if the organisation receiving the personal data is certified under the EU-US Privacy Shield.
The ICO makes it clear that any organisation still relying on the predecessor to the EU-US Privacy Shield, the Safe Harbor scheme, to transfer personal data from the UK to the USA needs to review their position. Seeking to continue to rely on the Safe Harbor scheme on its own will mean that an organisation is acting in breach of the Data Protection Act.
As a first step, the ICO recommends that any organisation looking to transfer data to the USA should ensure that the receiving organisation is certified under the EU-US Privacy Shield – if the receiving organisation is not certified you will need to rely on other ways to legally transfer the personal data to the USA.
At the present time, these include the model contractual clauses and binding corporate rules. However, the ICO is aware that such methods, whilst currently valid, are not free from uncertainty. This is not least because the model contractual clauses have been referred to the EU court by the Irish data protection regulator as to whether these clauses provide the adequate level of protection for international data transfers.
The ICO intends to issue guidance for organisations on international data transfers early in the Autumn – watch this space.
Laura Monro is an associate in the commerce & technology team at City law firm Fox Williams LLP and can be contacted at firstname.lastname@example.org