Today the UK data protection authority (the ICO) published a blog post and consolidated interim guidance on how to handle EU/US data transfers while the EU-US Privacy Shield is being scrutinised by the Article 29 Working Party.
The ICO’s position is more upbeat than that of most commentators and reflects its more pragmatic view of the data transfer process; indeed, the blog post is titled “Safe Harbor: calmer waters on the horizon.”
Key points are:
- the ICO considers that EU Model Clauses and Binding Corporate Rules can be continued to be used for transfers to the US
- complaints in respect of transfers under the Safe Harbor will be treated in line with the ICO’s usual regulatory policy, and the ICO is not rushing to use its enforcement powers while there is so much legal uncertainty around the solution
- the ICO considers that its published advice on international transfers remains valid “for the most part”
- the ICO stresses that UK-based businesses do not need to rely on Commission decisions on adequacy, and that it is open to businesses making their own assessment, particularly depending on the nature of the data transferred and associated risks
- the ICO will publish some practical advice for businesses, including SMEs on what they should or should not be doing in the interim
The ICO’s approach is refreshingly optimistic (although self-assessments of adequacy at this point are probably only for the very brave), and the IPO appears unwilling to wade in with an early enforcement action. However, it must be remembered that the Schrems judgment emanated from Ireland (traditionally a more controller-friendly authority), and that the timetable for such decisions is not always within an authority’s control.
To subscribe for updates from our Data Protection Report blog, visit the email sign-up page.