Aside from the progress of the General Data Protection Regulation (GDPR) which we discuss below, the issue which has dominated the end of 2015 as far as data protection is concerned, is the fallout from the decision by the Court of Justice of the European Union (CJEU) which signalled the sudden end of the Safe Harbor mechanism for EU/US data exports.
EU data protection law prohibits the transfer of personal data to countries or territories outside the EEA unless they are considered to provide adequate protection. One of the ways certain US organisations used to be able to demonstrate an adequate level of protection was by signing up to the Safe Harbor principles, a self-certification standard operated by the US Department of Commerce and enforced by the FTC. In October 2015, a shock judgment from the CJEU effectively ended data transfers under Safe Harbor and, indirectly, cast doubt on other data transfer mechanisms to the USA.
The two fundamental concerns the EU has with transferring EU personal data to the US are the lack of judicial redress for EU citizens and the failure of protections afforded to US citizens in respect of their privacy to apply to EU citizens. The fact that there is no mechanism to assess whether access to EU data for intelligence purposes is necessary and proportionate is a major stumbling block.
At the time of writing, the situation is uncertain. Data export mechanisms like Binding Corporate Rules (BCRs) and Model Contract Clauses, remain valid but the German regulators have already said they will not be approving BCRs until there is more clarity around their validity. The UK’s ICO has urged organisations not to rush into alternative solutions until more is known about whether a new version of Safe Harbor (popularly known as Safe Harbor 2.0) will be agreed. While the ICO has said he will not be changing his enforcement policies for now, the Article 29 Working Party (comprised of European data protection regulators) has said it will begin active enforcement against unlawful transfers of data after 31 January 2016.
The EC is frantically trying to agree Safe Harbor 2.0 with the USA and is aiming to reach agreement in early 2016. Some hope is held out by the Judicial Redress Bill, currently before the Senate. If adopted, it would extend privacy protections given to US citizens under the Privacy Act 1974 to EU citizens. The EC is also watching other privacy developments in theUSA. We are already seeing some companies moving to localise personal data although this will not necessarily eliminate all data transfers and is not always a viable option.
Whether or not Safe Harbor 2.0 is agreed, the issue of how to export EU personal data to the US is likely to dominate the first half of the year at the very least.