ICO takes a pragmatic view on transatlantic data transfers

The UK ICO says that while waiting for the possible adoption of the EU-US Privacy Shield, organisations can continue to use other tools such as Standard Contractual Clauses and Binding Corporate Rules to transfer personal data to the US. ‘Organisations should continue to take stock of the transfers they make and have a proper understanding of the legal basis, so that they are in a good position to act, should they need to. It may be useful to contact organisations in the US to which you transfer personal data to highlight the possibility that the Shield may need to be considered in future,’ ICO’s Head of Policy Delivery, Steve Wood, writes in a blog.

A political agreement for the new arrangement for EU-US data transfers was reached on 2 February. But this does not mean that there is a new framework. The next step is for the Commission to deliver all the details to the EU Article 29 DP Working Party, and draft an adequacy decision.

In the meantime, DPAs may enforce against companies if they regard their data transfer mechanisms inadequate, and if there have been complaints. The ICO, however, says that they will not be seeking to expedite complaints about Safe Harbor while the process to finalise its replacement remains ongoing and businesses await the outcome.

Until the Article 29 DP Working Party has produced its opinion on the Shield, there is not any new guidance for organisations at this stage, the ICO says.

See Article 29 WP statement on Privacy Shield

EU Commission press release on Privacy Shield