In 2015, the US Safe Harbor scheme was deemed invalid by the European courts. As a result of this finding, the processing of personal data in the United States e.g. on websites such as SurveyMonkey, Classdojo and Edmodo has likely been in contravention of Principle 8 of the Data Protection Act. Advice from the ICO thus far has been to “watch this space” rather than remove all data from the US, as it was likely a new compliance scheme, between the EU and US, would have to come into effect.
The new US Privacy Shield scheme has now been approved by the EU as a replacement to Safe Harbor. Privacy Shield is another voluntary self-certification scheme where US companies can elect to comply with EU equivalent privacy rules in order to transfer personal data between the EU and US. The US Department of Commerce has been tasked with reviewing self-certifications to ensure compliance and is to maintain a website of US companies which comply with the scheme.
It will now take time for US companies to self-certify themselves and for US Department of Commerce reviews to take place. As yet there are no companies listed on the Department of Commerce Privacy Shield website: https://www.commerce.gov/privacyshield
Going forward, if the Council is to store any personal data in a US-based system, it is important from a Principle 8 compliance perspective that a check is undertaken to ensure the company is Privacy Shield accredited.
For any Council personal data already stored in the United States e.g. on SurveyMonkey, ClassDojo and Edmodo, it is important that we review the forthcoming list of accredited companies to ensure these companies end up on the list. If after a number of months we find that these companies are not self-certifying against Privacy Shield, we may need to consider removing Council personal data from these companies.
Given the UK has voted to leave the EU, there is current uncertainty around how this new EU – US agreement will impact the UK once it leaves the EU. Current thinking would appear to be that the UK is going to have to comply with, or have equivalent law to, GDPR