The Abolition of Safe Harbour - How does it affect recruitment businesses and what are the alternatives?
In October, the European Court of Justice (ECJ) declared the Safe Harbour scheme invalid. The scheme was one of the principal basis upon which UK organisations transferred data to the US in compliance with the Data Protection Act (DPA).
Transfers of personal data outside of the European Economic Area (EEA) have to comply with the eighth data protection principle. The organisation responsible for transferring the data must ensure that there is an 'adequate level of protection' in the destination country, otherwise the overseas transfer is not permitted under the DPA.
Previously, recruitment businesses using the Safe Harbour scheme to transfer personal data to the US would have been assured that such transfers of personal data under the scheme were in compliance with the eighth data protection principle. However, following the ECJ decision, businesses can no longer rely on Safe Harbour to help ensure compliance for US transfers.
The ECJ's decision will have an impact on recruitment businesses that transfer personal data to the US themselves, or by a third party data processor. For example, recruitment businesses which use cloud based storage, web based services, or outsourced services that use US based servers, will be affected by the decision.
Recruitment businesses that use such services may now be in breach of Data Protection laws and will need to review how they ensure compliance going forward. Non compliance with the DPA can lead to a number of penalties. The Information Commissioners Office (ICO) can serve enforcement notices and impose fines of up to £500,000. Furthermore, there is a risk of adverse publicity and reputational damage for those businesses that do not comply with the Act.
The ICO has warned businesses not to panic and they have indicated that they will not be taking immediate enforcement action. However, there is an expectation that the ICO may begin to take enforcement action soon, so recruitment businesses should be taking steps now to review their practices and consider the Safe Harbour alternatives.
Such alternatives that would be compliant with data protection laws and recommended to recruitment businesses include:
- using the model contract clauses provided by European Commission for international data transfers
- obtaining consent of data subjects
- assessing the adequacy of the destination country, which in effect means carrying out due diligence on the transfer
The other option is to wait until the new 'Safe Harbour 2.0', otherwise known as 'privacy shield', has been completed. The new framework, which was agreed by the US and EU at the start of February, will allow the lawful transfer of personal data to the USA.
No deadline has been announced for completion of the new framework and only limited detail is currently available. However, the EU Commission is preparing an 'adequacy decision' for discussion by EU Data Protection regulators and governments.
What is known is that the framework will be a voluntary code which US companies may wish to sign up to, but that the risk of non compliance with EU data protection requirements remains with EU data controllers.
It is too early to know what procedures and contracts need to be put in place to ensure compliance with EU data protection legislation. Therefore, for the time being, we do not recommend amending any existing policies or documents which might subsequently have to be amended further once the framework is finalised.
There are pros and cons with each of these options. Relying on consent is, in particular, fraught with difficulty in the context of personal data processed for recruitment purposes.