Remember Safe Harbor? Time to forget it...


A fresh blog post from the ICO is a timely reminder that any business transferring personal data to the USA needs to be sure they are doing so legally, which means ensuring adequate protection for that personal data.

Following the legal challenge brought by privacy campaigner Max Schrems, the previous EU-US framework known as Safe Harbor is no longer "safe". In fact, it hasn't been for a while. Any business still relying on it to transfer data to the US is in breach of data protection laws and risking fines of up to £500,000 from the ICO.

So where do these businesses turn? The new "safe" is the shiny new EU-US Privacy Shield, which came online on 1 August 2016. It's essentially a beefed-up Safe Harbor, designed to address the concerns raised in the Max Schrems case, that personal data being sent to certain US businesses was being routinely accessed by US authorities with no redress for EU data subjects.

Who can rely on it? UK businesses can rely on the Privacy Shield to transfer personal data to the US, but only if the US recipient is certified by the US Department of Commerce (which opened its doors for applications at the start of this month). As with Safe Harbor, if the US business isn't signed up, the Privacy Shield won't be a legal basis for transfers to the US.

So what else is there?

  • Consent is the first port of call, but it's not always easy to obtain, depending on the way that personal data is collected. Consent also has to be freely given, specific and informed and, in some situations, such as the employer-employee relationship, it can be difficult to show that consent is freely given.
  • The EU Commission has decided that some countries provide adequate protection. These include, amongst others, Andorra, Argentina, Israel and New Zealand. Personal data can be transferred to these countries as if they were within the EEA.
  • Standard contractual clauses are another popular means of ensuring adequate protection. The sender and recipient of personal data sign up to a set of readymade terms, pre-approved by the EU Commission, that govern their respective rights and responsibilities in relation to processing the data. The problem is that standard contractual clauses are also under fire and, although safe for now, may eventually go the way of Safe Harbor.
  • Binding corporate rules, or "BCRs", are another option, but they are designed for transfers of data within a group of related companies, so are not for everyone. BCRs must also be authorised by the relevant data protection authority, so there's no readymade terms available and a number of hoops to jump through.

Clearly, there's no one-size-fits-all. For now, businesses transferring personal data to the US (or, for that matter, any other non-EEA country) should review their practices to ensure they are relying on a valid legal basis for doing so. There are potentially large fines, and a risk of reputational damage, for those who get it wrong.

Quote mark icon

That was until the Max Schrems case. The Court of Justice of the European Union removed the assurance that using Safe Harbor gave businesses, ruling that it did not provide adequate protection. But the baton Safe Harbor carried has now been passed to the EU-US Privacy Shield, which places stronger privacy requirements on US companies signed up to the scheme (e.g. greater transparency of privacy notices) and gives stronger redress mechanisms for individuals. Draft documents on the Shield were published in February. The European Commission has now issued its formal decision that the Privacy Shield provides adequate protection to allow personal data to be transferred to the US and the scheme became operational from 1 August.