Privacy Shield: government working with ICO to ‘update guidance as soon as possible’

Written by Sam Trendall on 29 July 2020 in News
News

The invalidation of the EU-US data-protection agreement could have major ramifications for UK organisations’ legal responsibilities

Credit: PA

The government has said that it is working with the Information Commissioner’s Office to provide advice “as soon as possible” on what the end of the EU-US Privacy Shield agreement means for UK organisations and their data-protection responsibilities. 

Since 2016, the conditions set out in the Privacy Shield arrangement have ensured the lawful transfer of personal data between the US and the European Union. The agreement requires US data processors to self-certify their compliance, and binds them to certain conditions and obligations.

Privacy Shield came into effect in 2016, replacing the Safe Harbor agreement – which had invalidated by the Court of Justice following a legal challenge led by Austrian privacy activist Max Schrems.

This month, announcing its decision in the case known as ‘Schrems II’, the CJEU found that Privacy Shield is now also invalid.


Related content


Although they can no longer rely on Privacy Shield as confirming a lawful basis for sharing personal data across the Atlantic, EU organisations have been advised that they may be able to rely on standard contractual clauses (SCCs) in their agreements with the data processor in question.

But this may not always be the case and, according to the ICO, UK organisations “must conduct a risk assessment as to whether SCCs provide enough protection within the local legal framework – whether the transfer is to the US or elsewhere”.

“The receiver of the data may be able to assist you with this,” the regulator added. “Supervisory authorities have an important role to play in the oversight of international transfers. We are therefore taking the time to consider carefully what this means in practice. We will continue to apply a risk-based and proportionate approach in accordance with our regulatory action policy. The ICO understands the many challenges UK businesses are facing at the present time and we will continue to provide practical and pragmatic advice and support.”

Minister for media and data John Whittingdale said: “The UK government is working with the Information Commissioner’s Office and international counterparts on the implications of the judgment and to update guidance on international data transfers as soon as possible.”

Responding to a written parliamentary question from Labour MP Chi Onwurah, the minister added that, once the country leaves the EU, the UK will be responsible for taking its own measures to ensure that data is transferred overseas lawfully.

“During the transition period the CJEU’s decisions are binding on the UK,” he said. “From the end of the transition period, the UK will be responsible for the means by which personal data may be lawfully transferred to countries outside of the UK, including adequacy decisions and alternative transfer mechanisms.”

 

About the author

Sam Trendall is editor of PublicTechnology

Share this page

Tags

Categories

CONTRIBUTIONS FROM READERS

Please login to post a comment or register for a free account.

Related Articles

UK’s ‘next cyber crisis’ likely to come from mistake or misfortune – outgoing NCSC head
7 September 2020

Ciaran Martin believes major security incident is still more likely to come from ‘unintentional consequence’, rather than attackers’ expertise

The coronavirus ‘infodemic’: truth and conspiracy online
15 September 2020

The spread of online misinformation during the Covid-19 pandemic has exacerbated a public health crisis. PublicTechnology digs into a recent parliamentary inquiry to find out...

‘Our adversaries are investing in AI’, warns military intelligence chief
14 September 2020

Russia and China are increasingly operating in a ‘grey zone between war and peacetime’, according to the government

Parliamentary officials warned of cyberthreat from Extinction Rebellion
1 September 2020

Civil servants working on select committees were given security advice in expectation of possible attack