The data watchdog has echoed the famous words of Dads’ Army veteran Corporal Jones by telling businesses “don’t panic, don’t panic” over the demise of the safe harbour agreement.
In a blog post on the Information Commissioner’s Office website, deputy commissioner David Smith issues three key steps for businesses concerned about what to do now that the agreement has been ruled invalid.
He writes: “Our initial message is still valid. Don’t panic and don’t rush to other transfer mechanisms that may turn out to be less than ideal. The impact of the judgment on standard contractual clauses and binding corporate rules is still being analysed.”
Smith stresses that the ICO will not be taking enforcement action any time soon as it recognises it may take months for businesses to make changes and the importance of trans-Atlantic data flows.
Secondly, firms should take stock and find out what data they are transferring to the US and why. It might be the case that safe harbour is not the best method for your business to use to transfer personal data, there may be other avenues available, Smith claims, and advises companies to check the ICO guidance on international data transfers.
Thirdly, UK businesses do not have to rely on EU Commission decisions on adequacy, as UK law allows a business to rely on its own adequacy assessment. Although this does not provide the same level of protection as Safe Harbour and is not helpful for businesses with operations in other EU states, it once again, to refer to the ICO’s guidance on this point.
Smith added: “We can’t create legal certainty where there is none but we will continue to work with our European counterparts in an effort to ensure that, as far as possible, we’re all delivering a single and sensible message.
“We very much hope that what many are calling Safe Harbour 2.0 will emerge and provide a strong and effective framework for protecting individuals when their personal data are transferred from the EU to the US.”
Related stories
Cameron takes charge of safe harbour backlash
New ruling halts US data transfer
US firms hit by data transfer ruling
ECJ wrecks US tech giants data plans
