Exporting personal data to the US - Safe Harbour update

As reported back in October, the EU have invalidated the Safe Harbour mechanism as a way of exporting personal data to safe harbour-registered organisations in the US. The advice then was “don’t panic” – the ICO (the UK’s data privacy watchdog) have since reiterated that prior to 31 January 2016 no action would be taken against organisations which would currently be in breach of data protection law as a consequence of reliance on Safe Harbour-based data transfers at the time of the ruling.  The ICO advise that organisations ought to review their compliance during this grace period.

What should you do now?

Organisations which may be impacted by the invalidation of Safe Harbour would be well-advised (prior to end of January 2016) to review their current transatlantic data flows of personal data either directly or indirectly through their data processors.  Organisations should consider whether model clauses (these are the EU-approved template clauses which are deemed to be data protection law-compliant) or binding (intra-group) corporate rules are appropriate as an alternative means of satisfying the requirements for data transfers under EU law.  Failing that, organisations should consider seeking freely given consent from the individuals whose personal data is or will be exported to the US.