Personal Data: US Safe Harbor

Principle 8 of the Data Protection Act (Schedule 1) prevents the transfer of personal data to a country outside the EEA unless that country has an adequate level of protection.

The Information Commissioner’s Office (ICO) website includes a list of non-EEA countries that the European Commission has determined have an adequate level of protection for personal data. The (short) list includes countries such as the Faroe Islands and Uruguay but the US is conspicuous by its absence.

However based upon a previous European Commission Decision (2000/520), personal data sent to the US under the voluntary ‘Safe Harbor’ scheme is adequately protected. To fall within this, US firms have to (a) sign up to the Safe Harbor arrangement under which it agrees to follow the principles of data handling and (b) be held responsible for keeping those principles by the Federal Trade Commission (or other oversight scheme).

The ‘Safe Harbor Privacy Principles’ and FAQs can be found in Annexes I and II of the Decision. Note from Annex III (‘Section 5 Exceptions’) that certain companies such as US financial institutions are not covered by the Safe Harbor scheme – a list of companies that have signed up to the regime is available on the US Department of Commerce’s website.

On 6 October a press release by the Court of Justice of the European Union (CJEU) declared that Decision 2000/520 was invalid.

In practical terms, not being able to rely on ‘Safe Harbor’ is not the same as being unable to transmit personal data to the US and indeed the message from the ICO (in both an official statement and blog) is ‘don’t panic’. Firms that have relied on ‘Safe Harbor’ when transferring personal data to the US should refer to the ICO guidance on Principle 8 – which includes European Commission model contractual clauses and the assessment of adequacy of protection – and the stand-alone ‘ICO Assessing Adequacy’ guidance. Affected firms may take comfort from the ICO blog (from the Deputy Commissioner and Director of Data Protection) that “We’re certainly not rushing to use our enforcement powers. There’s no new and immediate threat to individuals’ personal data that’s suddenly arisen that we need to act quickly to prevent”.

COntact us for assistance

Please fill our free consultation form and a member of our team will get in contact with you.