Privacy Shield: government working with ICO to ‘update guidance as soon as possible’
The invalidation of the EU-US data-protection agreement could have major ramifications for UK organisations’ legal responsibilities
The government has said that it is working with the Information Commissioner’s Office to provide advice “as soon as possible” on what the end of the EU-US Privacy Shield agreement means for UK organisations and their data-protection responsibilities.
Since 2016, the conditions set out in the Privacy Shield arrangement have ensured the lawful transfer of personal data between the US and the European Union. The agreement requires US data processors to self-certify their compliance, and binds them to certain conditions and obligations.
Privacy Shield came into effect in 2016, replacing the Safe Harbor agreement – which had invalidated by the Court of Justice following a legal challenge led by Austrian privacy activist Max Schrems.
This month, announcing its decision in the case known as ‘Schrems II’, the CJEU found that Privacy Shield is now also invalid.
Although they can no longer rely on Privacy Shield as confirming a lawful basis for sharing personal data across the Atlantic, EU organisations have been advised that they may be able to rely on standard contractual clauses (SCCs) in their agreements with the data processor in question.
But this may not always be the case and, according to the ICO, UK organisations “must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework – whether the transfer is to the US or elsewhere”.
“The receiver of the data may be able to assist you with this,” the regulator added. “Supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our regulatory action policy. The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.”
Minister for media and data John Whittingdale said: “The UK government is working with the Information Commissioner’s Office and international counterparts on the implications of the judgment and to update guidance on international data transfers as soon as possible.”
Responding to a written parliamentary question from Labour MP Chi Onwurah, the minister added that, once the country leaves the EU, the UK will be responsible for taking its own measures to ensure that data is transferred overseas lawfully.
“During the transition period the CJEU’s decisions are binding on the UK,” he said. “From the end of the transition period, the UK will be responsible for the means by which personal data may be lawfully transferred to countries outside of the UK, including adequacy decisions and alternative transfer mechanisms.”
Whistleblower raised concerns about practice that went unheeded
Newly created organisation aims to improve national resilience
Paper urges overhaul of financial planning system
Market research contracts worth £15m awarded
There are many reasons to keep your Oracle workloads running on local servers. But there are even more reasons to move them to the cloud as part of a wider digital transition strategy. Six Degrees...
Engage Process explains how to ensure that process remains at the heart of your management programs - and how to keep undue pressure from those processes
With the backdrop of the COVID-19 pandemic, every disaster now entails responding to at least two emergencies. Dataminr explains how organisations can best prepare.
As misinformation about the coronavirus vaccine spreads, Granicus outlines key considerations for local government when delivering a successful vaccine communications campaign