Personal Data Updates

EU-US Privacy Shield replaces Safe Harbor

With potential fines of up to 4% of total turnover, its worth keeping up to date with the latest attempts by the EU and the US to agree a framework to protect personal data that is transferred from the EU to the US.

Principle 8 of the UK’s Data Protection Act 1998 requires that any personal data transferred outside the EEA must have adequate protection. The Safe Harbor scheme was supposed to make sure that the transfer of data to the US was adequately protected. The scheme meant that data could be easily transferred to US companies who were Safe Harbor registered, without the need to put in place other bespoke solutions to comply with Principle 8.

After Snowden’s claims of mass surveillance by the US National Security Agency became public, the European Court of Justice ruled the Safe Harbor framework to be invalid as it does not adequately protect the privacy rights of EU consumers. Since then, any UK based business transferring personal data to the US has been facing a risk of non-compliance with the Data Protection Act.

On 02 February, a new framework (known as the Privacy Shield) was announced, but much of the detail is yet to be agreed. In the interim, there are a few steps that UK based organisations can take to reduce the risk of a breach:

  1. Do you really need to share personal data with the US entity? If an EU based solution can be used, then there is no need to consider Safe Harbor replacements.
  2. Can the data be anonymised without losing its usefulness? If so, then no personal data is being processed, and again, there is no need to consider Safe Harbor replacements.
  3. Can model contract clauses be put in place? The EU Commission has published some standard provisions, but many of the large US based service providers are yet to adopt them.
  4. You may be able to go through an internal process to consider compliance, but that process will not automatically lead to a clean bill of health.

In nothing else, a review of all data protection policies and procedures for those that use US online or cloud based solutions is recommended. Contact us if you need help.

Leave a Comment