For those keeping an eye on developments around data protection the key talking point, other than the Data Protection Regulation (only 723 days to go), has been the removal of the ‘Safe Harbour’ regime in October last year. With Safe Harbour thrown to the side transfers of personal data to the US, where personal data is not considered to be given an adequate level of protection, by European Data Controllers became significantly more problematic. A rush to bring transfers in to compliance was seen with many organisations entering into Standard Contractual Clauses to ensure an adequate level of protection for their US data transfers. The European Commission and the US government also come together to launch ‘Privacy Shield’, which would act as a replacement for Safe Harbour.
Now two developments have potentially derailed these steps, bringing US data transfers back in to contention. First, the Irish Data Protection Commissioner, who started the ball rolling on throwing out of Safe Harbour, has now decided that a referral to the Court of Justice of the European Union is required to determine the legal status of data transfers under Standard Contractual Clauses. This raises the possibility of Standard Contractual Clauses going the same way as Safe Harbour and the main rout around the loss of Safe Harbour falling away.
As if that wasn’t enough, the European Data Protection Supervisor, an independent supervisor of EU institutions and advisor to the EU legislator, has publishes an opinion recommending that that Commission ‘comprehensively assess’ Privacy Shield, that it is ‘not robust enough to withstand future legal scrutiny’ and that ‘significant improvements are needed’ along with publishing a number of recommendations. This opinion strongly suggests that Privacy Shield will require more thought and transatlantic agreement.
Given these developments, the confusion around US data transfers is far from resolved. If Standard Contractual Clauses are thrown out, a key tool will have been lost to those engaged in transfers. At the same time, the criticisms levied on Privacy Shield suggest that further thought is required here and that a full resolution to the loss of Safe Harbour will not be in place for a while yet. Whatever happened, the situation as it stands is far from certain and care is required from any organisation transferring personal data from the EEA to the US.