The latest announcement from the Article 29 Working Party on the US-EU Privacy Shield also suggests that there shouldn’t be any short-term surprises for those using the other justifications for exporting personal data to the USA. The European Court judgment that invalidated the Safe Harbor agreement in 2015 was concerned, among other things, with the level of US state access to EU citizens’ personal data. The Working Party noted that those concerns applied equally to other forms of transfer to the US, including Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs), and planned to comment on those in January 2016.
That commentary never appeared. Instead, as part of the Privacy Shield agreement, the US government has undertaken to limit its access and provide more opportunities for Europeans to obtain remedies. The Working Party has now said that it will review those undertakings in a year’s time, and report on their effect on all export mechanisms, not just the Privacy Shield.
Until then, it appears that the UK Information Commissioner’s assurance in February stands: that “organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA” in compliance with UK law.