“Don’t panic” ICO tells British firms after data sharing deal with US is torpedoed by top Euro court
The Information Commissioners Office (ICO) has sought to reassure British firms nervous of the implications, regarding the data sharing ruling made earlier this month by the European Union Court of Justice (CJEU).
The ICO reassurance comes after it was revealed that firms that continue to transfer EU individuals’ personal data to the US under ‘Safe Harbor’ rules potentially face legal action beginning at the end of January 2016.
That dire warning came after European data protection regulators (including the ICO) met in Brussels in mid October to consider the implications of the CJEU decision. The current Safe Harbor data-sharing agreement is used by around 4,000 companies to facilitate data transfers between the two territories.
But the data regulators confirmed that those transfers can no longer legally be carried out under the current Safe Harbour rules.
Yet the ICO has opted to sooth any data sharing worries and advised British firms not to panic in a blog posting on the matter.
That said, The British data protection watchdog admitted that the current US Safe Harbor agreement is “breached but perhaps not destroyed!”
“Not surprisingly there’s been huge interest in the impact of the judgement of the Court of Justice of the European Union (CJEU) regarding the US Safe Harbor scheme,” blogged David Smith, Deputy Commissioner and Director of Data Protection.
He described how the CJEU effectively removed the assurance that European businesses had if they transferred personal data to the United States.
In its ruling, the CJEU decided that the United States does not have adequate data protection laws, and it comes after months of increased spying tensions by US intelligence agencies, coupled with a data-protection complaint brought by 27-year-old Austrian law student Max Schrems against the Irish data protection commissioner (Facebook’s EU headquarters is in Ireland).
The ruling means that major US companies such as Google, Facebook and Amazon, will need to rework their data-sharing practices in order to maintain compliance with the law.
“It’s a complicated area,” admitted the ICO’s Smith. “The judgement did not strike down Safe Harbor itself, but focused on the Commission Decision that had given the assurance to businesses.”
The reason the Court made that decision was because of the ability of the US intelligence services to gain access to transferred personal data,” wrote Smith. “It took the view that the intelligence service had access beyond what it considered strictly necessary and proportionate for the protection of national security. Coupled to this is a lack of any right for non-US persons to seek legal remedies in the US for misuse of their data.”
The ICO said it had three pieces of advice for businesses.
Firstly it said that firms shouldn’t panic over the ruling.
“Don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal,” wrote the ICO’s Smith. “The impact of the judgement on standard contractual clauses and binding corporate rules is still being analysed. Of course transfers can always be made on the basis of an individual’s consent but this doesn’t necessarily protect personal data any more effectively than the Safe Harbor which is, after all, what the CJEU case is all about.”
Secondly businesses are advised to take stock of their situation.
“Ask yourself what personal data you are transferring outside the EU, where is it going to, and what arrangements have you made to ensure that it is adequately protected,” said the ICO’s Smith. “Then look at whether these arrangements are the most appropriate ones taking into account the ICO’s guidance on international transfers. But don’t rush to change, especially with the possibility that a new, improved and perhaps rebranded Safe Harbor will emerge.”
And thirdly it said the businesses have to make up their own minds about the issue.
“It’s also worth bearing in mind that businesses in the UK don’t have to rely on Commission decisions on adequacy,” wrote Smith. “Although you won’t get the same degree of legal certainty, UK law allows you to rely on your own adequacy assessment. Much depend here on the nature of the data that you are transferring and who you are transferring it to but the big question is can you reduce the risks to the personal data, or rather the individuals whose personal data it is, to a level where the data are adequately protected after transfer? The Safe Harbor can still play a role here.”
The ICO admitted that the next few months will be critical, and it is hopeful that the Safe Harbor 2.0 will emerge and “provide a strong and effective framework for protecting individuals when their personal data are transferred from the EU to the US.”
The EU and the US have been in negotiations for the past two years over a new agreement to replace Safe Harbour that would better protect data transferred to the US.
In May it was revealed those negotiations are very close to completion.
Following the NSA spying revelations. Where do you store your data?