Safe Harbor out, Privacy Shield in

12th February 2016

The EU and US have finally agreed on a new data protection framework for the transfer of personal data from Europe to the US known as the EU-US Privacy Shield – but what does this really mean for UK businesses?

Safe Harbor ruled invalid

Following Edward Snowden’s revelations about the extent of the US National Security Agency’s mass surveillance operations, an Austrian law student named Max Schrems alleged that Facebook Ireland was forwarding data to the NSA, via its California headquarters. The claims ended up before the Court of Justice of the European Union which ruled on 6 October 2015 that the Safe Harbor exemption was invalid.

As approximately 4,500 US companies were certified as complying with the Safe Harbor provisions, this has significant implications for UK businesses.

The new framework

It was announced on 2 February that the EU and the US had reached an agreement on the new framework which will include greater transparency around US government surveillance, redress for EU citizens and the ability to refer complaints to a US ombudsman.

When will the new framework come into force?

The EU Commission expects the Privacy Shield to come into force in three months’ time. However, there is no guarantee that it will ever actually be adopted.

The full terms of the agreement are not due to be delivered to the Article 29 Working Party (which is composed of representatives of the national data protection authorities in the EU member states) (the Working Party) until the end of February. The Working Party will then hold an extraordinary meeting to discuss the new scheme and to decide whether it provides adequate protection.  Its opinion is expected to be delivered in April.

The relevant US authorities will also need to formally adopt the scheme.

So what do UK businesses need to do now?

Firstly, businesses need to understand:

• what information they transfer outside of the EU
• who they transfer it to – is it a group company or a third party? and
• the basis on which the information is transferred – are they using the Safe Harbor exemption, model clauses or some other mechanism to keep personal data safe and secure?

Once businesses have identified which third parties are relying on the Safe Harbor exemption, they need to review the relevant contracts – do they deal with the current situation of Safe Harbor being declared invalid? If not, then they need to consider discussing the issue and potential solutions with those suppliers.

Businesses who engage in data processing on behalf of others will also need to check that they are not in breach of their contacts and consider opening discussions with their affected customers.

In the meantime, the following options are available to affected businesses:

• stop transferring data to the US – for example, use UK based data processors or make sure that your servers are located in the EU
  • Businesses need to check the contracts with their server suppliers carefully to ensure that the host company does not permit its US affiliates to access information stored on those servers, as this may amount to data being transferred outside of the EU.
• anonymise the data to be transferred so that it falls outside the scope of the Data Protection Act 1998 (the DPA)
  • The data may lose its usefulness if it is anonymised or, depending on the volume and type of data being transferred, it may simply be too onerous.
• amend existing contracts to include “Model Contract Clauses”
• adopt binding corporate rules (only available for intra-group transfers)
  • The application process for adopting these rules can be lengthy and cumbersome.
• assess their own compliance by way of “self-assessed adequacy”
  • This is a risky option as it does not guarantee compliance with the DPA.

Why the urgency?

After Safe Harbor was declared invalid, the Working Party issued a statement saying that it would allow organisations a 3 month grace period to put alternative data transfer mechanisms in place before any enforcement action was taken by local data protection authorities. This grace period ended on 31 January 2016.

Even though the Privacy Shield has now been agreed in principle between the EU and the US, the Working Party has stated that local data protection regulators may not wait for the details of the new framework to be published to determine whether this adequately replaces Safe Harbor, and that they may begin to take enforcement action in respect of “related cases and complaints on a case-by-case basis“.

To date, the Information Commissioner’s Office (the ICO) has encouraged organisations to review their data transfers to the US, but it has given no indication as to whether it intends to take any enforcement action or how harshly it will deal with any non-compliances. However, as the ICO can issue fines of up to £500,000 for breaches of the DPA, organisations can ill afford to take a “wait and see” approach.

The Regulatory and Compliance team have considerable experience helping businesses understand and comply with their data protection obligations. If you have any questions relating to the Privacy Shield or data protection generally, please contact Jeanette Burgess, Andrew Northage or another member of the team.