The Information Commissioner’s Office has published a new article on how they are responding to the European Court’s Safe Harbor judgment. The overall message is that data controllers should take stock and not panic. While noting that the judgment does remove some of the former legal certainty, the ICO is “certainly not rushing to use our enforcement powers”.
There’s an important reminder that the actual protection given to personal data isn’t changed by the judgment – “there’s no new and immediate threat”. Companies that gave undertakings under the Safe Harbor principles are still required by their US regulators to stick to those undertakings. That’s particularly relevant in the UK where the Information Commissioner encourages data controllers to make their own assessment of the risk of exports, rather than relying on others’ decisions. Although the ICO is working on updated guidance on how to do that, “for the most part it’s still valid” and the Safe Harbor undertakings can be taken into account.
While the legal position is likely to remain unclear till at least the end of January, when European regulators plan to review progress, it’s good to see our regulator recognising that both data controllers and data subjects are much better served by stability than any sudden changes of direction.
