On 6th October 2015, the Court of Justice of the European Union (CJEU) declared that transfers of personal data of EU citizens from the EU to the US cannot rely on the Safe Harbor framework agreement.
The Safe Harbour Scheme allows the transfer of data to US organisations certified under the scheme. However the Court has concluded that this scheme does not ensure an adequate level of protection of personal data as required by the European Data Protection Directive, as Safe Harbour certified organisations are unable to prevent mass surveillance by the US intelligence authorities of data transferred to the EU.This decision has significant implications for the transfer of personal data to US companies that are certified under Safe Harbour.
Research organisations that rely on Safe Harbour in order to legally process personal data in the US can be challenged on the basis that such data transfers are unlawful.
The Information Commissioner’s Office (ICO), as the local data protection authority, will have the final word on whether the arrangements are adequate for UK organisations. ICO have indicated that they are considering the implications of the decision and will issue guidance over the coming weeks. In light of this immediate action on compliance is highly unlikely. A full copy of the statement from the ICO is available here
MRS will continue to keep members updated on best practice and recommendations from the regulator. In the meantime, if you are currently relying on Safe Harbour to justify personal data transfers to the US you will need to consider your position. We recommend that you:
Our newsletters cover the latest MRS events, policy updates and research news.