New Safe Harbor Guidance from ICO


New Safe Harbor Guidance from ICO

The UK ICO issues interim safe harbor guidance

Most of us are simply sitting back, hoping that the storm will blow over and waiting for the powers that be to get their collective acts together and sort this all out. Does the new safe harbor guidance support this strategy? It's certainly one that many, in our experience, have adopted, despite the clear warnings that US data transfers are illegal if organisations have not implemented alternative arrangements.

So does this new guidance offer any comfort to those adopting the 'wait and see' strategy?

What's in the guidance?

There is some background to the collapse of Safe Harbor and a review of the Schrems judgement (in case you weren't already aware) including a reiteration that Binding Corporate Rules (BCRs) are still considered a viably transfer mechanism, at least for the UK ICO.

We are however warned that Adequacy Decisions (where a data protection authority has ruled a country to have adequate privacy laws to allow transfers to take place), may not be safe and should not be relied upon.

So what is the ICO position? As they state; "we are not rushing to use our enforcement powers" and they [the ICO] "cannot create legal certainty where there is none".

The ICO suggests that organisations do not "rush to [implement] other transfer mechanisms that may turn out to be less than ideal", despite the fact that they must still consider complaints from individuals who feel they are compromised by their data being transferred to the US. This advice extends to your use of Cloud Service providers, whom the ICO expects to act to bring their services into line with the new legal landscape.

In short, the strategy of sitting back and waiting for the storm to blow over actually has a sound basis. It would be our advice, additionally, to bolster this position by conducting Privacy Impact Assessments (PIAs) to show you have 1. identified and are 2. working to mitigate risks to individuals. You're going to have to do this anyway come the GDPR, so why not start now, get a head start, and protect your current position in 'times of legal uncertainty'.

We we can help you develop and deliver your PIA program.

To read the full UK ICO Guidance, follow this link