UK watchdog offers 'safe harbor' advice on US data transfers

Less tough than Germany

David Smith, deputy information commissioner, said businesses should "take stock" of their data transfer arrangements and review whether they provide adequate protection of personal data, as is required by EU law.

Smith's comments follow a ruling by the Court of Justice of the EU (CJEU) earlier this month. The CJEU ruled that a European Commission decision in 2000 that paved the way for companies to transfer personal data from the EU to the US in a way which complied with EU data protection laws when those companies met the requirements of the US' "safe harbor" framework, was "invalid".

The CJEU came to its judgment after highlighting concerns about the access US authorities have to the transferred data and the lack of rights to judicial redress EU citizens have in the US when their data is mishandled.

EU officials are currently in the process of negotiating a new safe harbor agreement with US counterparts.

A number of other legal mechanisms exist which allow organisations to transfer personal data outside of the EU in a way which complies with EU data protection laws. However, the judgment has prompted debate about whether some alternative mechanisms for data transfer are in fact valid.

Smith said that companies can continue to rely on other European Commission decisions on data transfers at the moment. Smith referred to the Commission's decision to support the use of model clauses in contracts to govern how personal data is treated when transferred outside of the EU, and decisions the Commission has taken in designating certain countries, such as Argentina and New Zealand, as providing adequate protection for personal data when it is transferred to those countries from the EU.

"The existing Commission decisions on the adequacy of particular countries and on standard contractual clauses do still stand, and can be relied on by businesses, certainly for the time being," he said. "But the terms of the judgment inevitably cast some doubt on the future of these other mechanisms, given that data transferred under them is also liable to be accessed by intelligence services whether in the US or elsewhere."

However, mechanisms enabling data transfer are currently under review by the Article 29 Working Party, a committee made up of representatives from the EU's national data protection authorities. As a result, Smith said businesses that had been reliant on the EU-US safe harbor regime should not "rush to other transfer mechanisms that may turn out to be less than ideal".

"The first thing for businesses to do is take stock," Smith said. "Ask yourself what personal data you are transferring outside the EU, where is it going to, and what arrangements have you made to ensure that it is adequately protected. For some this will be no easy task."

"Then look at whether these arrangements are the most appropriate ones taking into account the ICO’s guidance on international transfers. If they include the safe harbour, what alternative mechanisms might you use if there’s no progress on a new safe harbor? But don’t rush to change, especially with the possibility that a new, improved and perhaps rebranded safe harbor will emerge," he said.

Smith suggested that businesses do not need to abandon the safe harbor principles altogether to remain compliant with EU data protection laws when transferring personal data to the US. He said the measures companies put in place to comply with the safe harbor principles would, though, need to be supplemented if the data transfers were to remain EU law compliant. UK companies can "rely on [their] own adequacy assessment" to transfer personal data outside of the EU, he said.

"Much depend here on the nature of the data that you are transferring and who you are transferring it to but the big question is can you reduce the risks to the personal data, or rather the individuals whose personal data it is, to a level where the data are adequately protected after transfer?" Smith said. "The safe harbor can still play a role here."

"Of course transfers can always be made on the basis of an individual’s consent but this doesn’t necessarily protect personal data any more effectively than the safe harbour which is, after all, what the CJEU case is all about," Smith said. "Indeed, individuals may be easily induced to give their consent to the transfer of their data to destinations where there is little or no protection when the safe harbour does at least provide them with some genuine protection even if such protection is imperfect."

Data protection authorities in Germany earlier this week outlined their views on EU-US data transfers in light of the CJEU's judgment. They confirmed that companies can no longer claim compliance with EU data protection laws for data transfers on the sole basis that they adhere to the requirements of the safe harbour regime.

Hamburg's data protection authority has said it will "check to see" if companies are continuing to "transmit data solely on the basis" of the safe harbor regime.

"This test will be done in particular at the subsidiary companies of Safe Harbor-listed US companies, which have their headquarters in Hamburg and submit their data to the parent company in the US," the Hamburg authority said.

It warned that it could issue "prohibition orders" to stop data transfer arrangements it finds that rely entirely on meeting the safe harbor requirements as demonstrating compliance with EU law.

Data protection law expert Marc Dautlich of Pinsent Masons, the law firm behind, said: "The recent statements from the Article 29 Working Party, German authorities and now the ICO all relay essentially the same message about the appropriateness, or otherwise, of data transfer mechanisms in light of the CJEU's ruling. However, the statements do reveal different intentions in relation to how the different authorities intend to approach enforcement around data transfers to the US."

"Hamburg's watchdog, and perhaps other German authorities too, intends to take a pro-active approach in probing data transfer arrangements in its jurisdiction, whereas the tone taken by the ICO is less confrontational and more about pointing businesses towards solutions, even if only interim ones," he said.

"What the ICO's statement does not address, however, is how companies, particularly SMEs, can come to sustainable conclusions that the measures they have in place to protect data transferred to the US are adequate given the concerns expressed about US authorities' access to that data," he said. “In some cases, technical solutions – for example encryption or anonymisation – may help organisations as they consider their legal position," Dautlich said.

Copyright © 2015, is part of international law firm Pinsent Masons.

Sponsored: Minds Mastering Machines - Call for papers now open

Biting the hand that feeds IT © 1998–2018