As we know, the US ‘Safe Harbor’ scheme was declared invalid by the European Court of Justice in October of last year – see Regulatory Roundup 70.
The issue at the time centred around Principle 8 of the Data Protection Act (Schedule 1) which prevents the transfer of personal data to a country outside the EEA unless that country has an adequate level of protection.
The Information Commissioner’s Office (“ICO”) website includes a list of non-EEA countries that the European Commission has determined have an adequate level of protection for personal data. The (short) list includes countries such as the Faroe Islands and Uruguay but the US is conspicuous by its absence.
As a reminder, based upon a previous European Commission Decision (2000/520), personal data sent to the US under the voluntary ‘Safe Harbor’ scheme was deemed adequately protected. To fall within this, US firms had to (a) sign up to the Safe Harbor arrangement under which they agree to follow the principles of data handling and (b) be held responsible for keeping those principles by the Federal Trade Commission (or other oversight scheme). Note that certain companies such as US financial institutions were not covered by the Safe Harbor scheme.
Since that time a new framework on transatlantic data flows has been under development: the EU-US Privacy Shield. The ‘Shield’ reflects the requirements set out by the European Court of Justice and will provide stronger obligations on companies in the US, which will be enforced by the US Department of Commerce and Federal Trade Commission.
There is no firm date for the Privacy Shield to come into force – the framework still has to go through due process, including the consent of the European Parliament – although consensus opinion is late Q2/early Q3 this year.