Comment below from Daniel Hedley, Associate at national law firm Thomas Eggar LLP regarding the European Court of Justice ruling on the Safe Harbour agreement.
“The CJEU’s declaration that Safe Harbour is invalid will obviously have significant implications for any EU business which uses US-based cloud services or which otherwise processes personal data in the US. However, it is important to understand that it does not mean that personal data cannot be exported to the US for processing at all; simply that the most convenient legal gateway to doing so lawfully no longer exists.
“Data protection law provides a number of other gateways to lawful export of personal data to a third country, such as data subject consent, standard form contracts and self-assessment, and the Commission has confirmed in its statement yesterday that those gateways remain available. While, in the long term, the court’s judgment could also leave some of those gateways vulnerable to attack on similar grounds to Safe Harbour, in the short to medium term they remain available.
“The ICO, the data protection regulator and principal enforcer here in the UK, has indicated that it is considering the judgment and will provide guidance for businesses in due course. Reading between the lines, it seems to have little appetite for instant, rigorous enforcement against the new situation. Businesses would be well advised to start the dialog process with their US-based cloud providers and other data processors, and to keep an eye on the ICO for further guidance.”