Data exports: update in 2017

The latest announcement from the Article 29 Working Party on the US-EU Privacy Shield also suggests that there shouldn’t be any short-term surprises for those using the other justifications for exporting personal data to the USA. The European Court judgment that invalidated the Safe Harbor agreement in 2015 was concerned, among other things, with the level of US state access to EU citizens’ personal data. The Working Party noted that those concerns applied equally to other forms of transfer to the US, including Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs), and planned to comment on those in January 2016.

That commentary never appeared. Instead, as part of the Privacy Shield agreement, the US government has undertaken to limit its access and provide more opportunities for Europeans to obtain remedies. The Working Party has now said that it will review those undertakings in a year’s time, and report on their effect on all export mechanisms, not just the Privacy Shield.

Until then, it appears that the UK Information Commissioner’s assurance in February stands: that “organisations can continue to use other tools such as SCCs and BCRs for transfers to the USA” in compliance with UK law.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *