Regulatory Developments

Last updated: 
4 months 2 weeks ago
Blog Manager
Log in to request membershipHide blog description
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Recent members:

Privacy Shield – Unfinished Business

Thursday, April 14, 2016 - 09:23

The Article 29 Working Party’s new Opinion on the US–EU Privacy Shield draft adequacy decision leaves a lot of questions unanswered and further prolongs the period of uncertainty for anyone transferring personal data from Europe to the USA.

That began last October when the European Court of Justice declared that the US-EU Safe Harbor agreement could not be relied upon to protect the rights of data subjects to EU standards. Anyone using Safe Harbor (which only covered transfers to US commercial organisations) needed to move to an alternative. However it was quickly noticed that the Court's arguments against Safe Harbor would also apply to the other export arrangements recognised by EU law – model contracts, binding corporate rules, etc. The Working Party, consisting of national data protection regulators, announced that they would review all these arrangements in February, giving the European Commission and US authorities three months to negotiate a better solution. Most Regulators (including the UK's Information Commissioner) also indicated that they would not begin enforcement action against data exporters while that review was continuing.

Exporters might therefore have hoped that the review would clarify which export arrangements were still regarded as being compliant with EU law, and provide a clear deadline by which exporters need to adopt them. Instead the Opinion published yesterday provides a detailed analysis of the draft Privacy Shield arrangement that has been proposed by EU and US as a replacement for Safe Harbor. The Working Party conclude that the new proposal has "major improvements" over Safe Harbor, but that the Commission needs to provide greater clarity and solve outstanding problems before they will be able to determine whether it does indeed provide "essentially equivalent protection".

There seems to be no comment on any of the other export mechanisms, nor any process or timetable for their status to be clarified. Exporters are left knowing that they should move away from Safe Harbor, but with uncertainty surrounding all the possible alternatives. They would no doubt agree with the Working Party's statement that "legal clarity is needed sooner rather than later", but this Opinion seems to extend, rather than reduce, the time we will need to wait.

Data Protection Directive
Data Protection Regulation
Safe Harbor
  • Twitter logo
  • LinkedIn logo
  • Google+ logo
  • Reddit logo
  • StumbleUpon logo