The European Commission has adopted an adequacy decision approving the Privacy Shield framework for the transfer of personal data to the US, and the scheme became operational from 1 August (see here for background). Although some changes have been made to the original draft, national data protection authorities still have concerns about the Privacy Shield. As they are not bound by the adequacy decision, there remains a possibility of further challenge. The national authorities' first joint annual review will assess if any remaining issues have been solved and whether the safeguards are workable and effective.
Employers who have been relying on Safe Harbour to transfer personal data to the US now need to review their position, checking whether the organisations to which data is transferred are registered (or planning to register) under the Privacy Shield scheme and, if not, considering whether alternatives such as Standard Contractual Clauses or Binding Corporate Rules can be used. According to the ICO's blog, the ICO appreciates that organisations will need time to make the relevant changes, but they should not delay. The ICO hopes to publish updated guidance on international transfers "early in the Autumn".
Employers should also be aware of a challenge to the Standard Contractual Clauses on the basis that they too provide insufficient protection against mass surveillance by the US authorities.
Key contacts
Steve Bell
Managing Partner - Employment, Industrial Relations and Safety (Australia, Asia), Melbourne
Emma Rohsler
Regional Head of Practice (EMEA) - Employment Pensions and Incentives, Paris
Disclaimer
The articles published on this website, current at the dates of publication set out above, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your specific circumstances should always be sought separately before taking any action.