ICO publishes interim guidance on cross-border data transfers
Published 3 March 2016
What does this cover?
The ICO has published interim guidance on cross border transfers in light of the Schrems decision and the proposed Privacy Shield.
Although acknowledging that Schrems has cast doubt on the validity of transfers of personal data to the US under all mechanisms, the ICO has confirmed their acceptance of the use of SCCs (Standard Contractual Clauses) and BCRs (Binding Corporate Rules) for data transfers from the UK to the US in the absence of a Safe Harbor framework.
They have also confirmed that they will not be actively looking to take enforcement action against companies who were previously transferring personal data under the Safe Harbor regime. The interim guidance states that the ICO will not be hurrying to utilise its enforcement powers because no immediate increase in risk to individuals' personal data has arisen. The ICO will, however, continue to analyse complaints from data subjects regardless of the international data transfer mechanisms that are in place.
To view the ICO blog article Safe Harbor: 'Calmer waters on the horizon', please click here.
To view the interim guidance, please click here.
What action could be taken to manage risks that may arise from this development?
Organisations may take comfort from the ICO statement that it is not going to actively seek out companies who were previously making transfers under Safe Harbor to take enforcement action. However it is advised that organisations do still continue to seek to put in place standard contractual clause agreements when transferring data to companies who formerly relied on the Safe Harbor. The ICO statement confirms that these can be relied on for the time being at least.