Data Protection and transfers to US under Safe Harbour
06 October 2015

On 6th October 2015, the Court of Justice of the European Union (CJEU) declared that transfers of personal data of EU citizens from the EU to the US cannot rely on the Safe Harbor framework agreement.

The Safe Harbour Scheme allows the transfer of data to US organisations certified under the scheme. However the Court has concluded that this scheme does not ensure an adequate level of protection of personal data as required by the European Data Protection Directive, as Safe Harbour certified organisations are unable to prevent mass surveillance by the US intelligence authorities of data transferred to the EU.This decision has significant implications for the transfer of personal data to US companies that are certified under Safe Harbour.

Research organisations that rely on Safe Harbour in order to legally process personal data in the US can be challenged on the basis that such data transfers are unlawful.

The Information Commissioner’s Office (ICO), as the local data protection authority, will have the final word on whether the arrangements are adequate for UK organisations. ICO have indicated that they are considering the implications of the decision and will issue guidance over the coming weeks. In light of this immediate action on compliance is highly unlikely. A full copy of the statement from the ICO is available here

MRS will continue to keep members updated on best practice and recommendations from the regulator. In the meantime, if you are currently relying on Safe Harbour to justify personal data transfers to the US you will need to consider your position. We recommend that you:

• carry out an assessment to see which of your data transfers were done on the basis of Safe Harbour certification
• consider alternative ways of ensuring adequate protection for personal data relating to EU citizens by:
• relying on other legal grounds such as if an individual has given unambiguous consent for the transfer of data for processing in the US e.g. in online work by notifying participants in privacy statement that transfers may be worldwide
• reviewing contractual arrangements and consider using Model Contract Clauses in the form approved by the European Commission
• over the longer term implementing binding corporate rules (BCR’s) for transfers within a corporate Group, recognising that BCR’s are time consuming and can be costly.