ICO latest advice on Safe Harbour

In early October the Court of Justice of the European Union (CJEU) – previously known as the European Court of Justice or ECJ – ruled that Safe Harbour was invalid. Safe Harbour gave businesses the legal certainty they needed to transfer personal data from the EU to the US.

The Information Commissioners’ Office (ICO) latest advice has not changed a great deal from their initial advice given to the DMA at a government roundtable. There is no immediate solution to the problem, the ICO is unable to give businesses the legal certainty they want at the moment, but has some advice.

Deputy commissioner David Smith, had 3 key points for businesses in the latest blog article.

His first message is: do not panic and rush into anything. Let the dust settle before you make a decision on what to do. The ICO will not be taking enforcement action as they realise it may take some time for businesses to make changes and the importance of trans-Atlantic data flows.

The other two options open to businesses to replace Safe Harbour are: model contract clauses and binding corporate rules, both of which are open to the same challenge as Safe Harbour. Therefore, they are not a long-term solutions.

His second piece of advice is to ‘take stock’ and find out what data you are transferring to the US and why. It might be the case that Safe Harbour is not the best method for your business to use to transfer personal data, there may be other avenues available. Check the official ICO guidance on international data transfers.

Thirdly, UK businesses do not have to rely on EU Commission decisions on adequacy, as UK law allows a business to rely on its own adequacy assessment. Although this does not provide the same level of protection as Safe Harbour and is not helpful for businesses with operations in other EU states. Refer to the ICO’s guidance on this point.

Deputy Commissioner, David Smith, said;

“We can’t create legal certainty where there is none but we will continue to work with our European counterparts in an effort to ensure that, as far as possible, we’re all delivering a single and sensible message.

“We very much hope that what many are calling Safe Harbour 2.0 will emerge and provide a strong and effective framework for protecting individuals when their personal data are transferred from the EU to the US.”

Ultimately, Safe Harbour 2.0 is the only workable long-term solution to the current problem. The political pressure will be building on policymakers in the US and EU to find common ground so businesses have the legal certainty they need. At least for now businesses can rest assured that the ICO will not be taking enforcement action anytime soon.