On October 27, 2015, David Smith, the UK Deputy Commissioner of the Information Commissioner’s Office (“ICO”), published a blog post commenting on the ongoing Safe Harbor compliance debate in light of the Schrems v. Facebook decision of the Court of Justice of the European Union. His key message to organizations was, “Don’t panic.”
After engaging in a brief analysis of the implications of the decision, David Smith asked, “Where does this leave businesses that are using the Safe Harbor?” Smith sums up the ICO’s advice in three key messages:
- Don’t Panic: The impact of the Schrems decision on other available transfer mechanisms and derogations (e.g. Standard Contractual Clauses, Binding Corporate Rules, consent, etc.) is still being evaluated.
- Take Stock: Organizations should, as a first step, consider what personal data they are transferring outside of the EU, and what arrangements they have in place to ensure that data is adequately protected. Organizations should also consider the ICO’s guidance on international data transfers, and what alternatives are available in respect of transfers that were previously covered by Safe Harbor. Smith notes the possibility that a new, improved Safe Harbor may be agreed upon, and cautions against significant immediate changes in light of this possibility.
- Make Up Your Own Mind: Smith highlights the fact that UK data protection law allows organizations to make their own adequacy determination in relation to particular transfers of personal data. Although this possibility is very fact dependent, the ICO confirms that this transfer mechanism remains open to UK-based organizations.
Finally, Smith notes that, although the ICO will consider complaints in relation to data transfers from affected individuals, it will continue to follow its previously published enforcement criteria. The blog post provides reassurance to UK-based organizations that the ICO will not rush to use its enforcement powers, particularly in light of the uncertainty around international transfers of personal data and the future of Safe Harbor. That being said, the ICO stands behind the previous statement issued by the Article 29 Working Party in relation to the Schrems decision, and did not rule out the possibility of enforcement action against organizations that have not taken steps to ensure compliance by January 2016.