In October last year the Court of Justice of the EU invalidated the Safe Harbour regime. This left many wondering how to continue with data transfers with some saying to use the EU Model clauses. Others, including the commissioner of Schleswig Holstein, said that those clauses were not adequate as they were part of the same decision-making process that the court had now invalidated.
Thankfully, common sense prevailed and the EU Commission, the Article 29 Working Party and the UK Information Commissioner effectively said the model clauses were acceptable while Safe Harbour 2.0 was being finalised. In fact, the Article 29 Working Party set a deadline of the end of January for the implementation of the new Safe Harbour, after which it would encourage enforcement action which could mean fines.
Well, end of January came and went and there’s still no sign of Safe Harbour 2.0. If you’re still transferring data to the USA – and it’s unlikely you would have immediately stopped – what should you do?
What should I do?
- First, don’t panic. The US government is well aware of the need to get Safe Harbour sorted.
- Audit your data and what is being transferred – does it all need to be transferred?
- Re-evaluate your data security processes – are they adequate?
- Keep some or all of your data in the EEA – this always polarises the debate between the pro-USA and anti-USA lobbies but it is worth considering
- Implement a data protection policy internally for staff and train them
- Implement contractual safeguards with customers & suppliers
- Be prepared to demonstrate that you (and your customers and suppliers) are compliant, not just that you’ve ticked a box or have written a contract
With agreement reached on the General Data Protection Regulation you’ll have to revisit these issues over the next couple of years anyway. You may as well start now.
Image courtesy of David Castillo Dominici at FreeDigitalPhotos.net