US Safe Harbor Provision Suspended
The consequence of the ruling is that universities that currently rely on Safe Harbor will need to review how they ensure that they transfer data to the US in line with the law in the UK.
The European Court of Justice (ECJ) has recently ruled that the legal basis used by many organisations for the transfer of personal data to the US is invalid.
In a case brought against Facebook by an Austrian citizen, Max Schrems, it has said that the Safe Harbor arrangements do not provide adequate protection for the privacy of EU citizens.
This case will have a significant impact in the UK. It affects not only those with US operations or joint ventures, but all organisations that use outsourced services that use US-based servers. This may include payroll administration, CRM systems, cloud storage, email and website services (eg, online booking) and certain outsourced marketing services.
What does this mean for UK universities?
The consequence of the ruling is that universities that currently rely on the Safe Harbor provision will need to review how they ensure that they transfer data to the US in line with the law in the UK. In light of the ECJ ruling, many will now be operating in breach of the Data Protection Act.
The Information Commissioner's Office has indicated in its initial response that it recognises that it will take some time for organisations to carry out those reviews and put new systems in place. That is welcome since it means that there is no immediate threat of enforcement action for non-compliance in this respect.
However, if your university transfers personal data to the US, including by using such tools as Google Drive, Microsoft 365 or other cloud storage, we strongly recommend that you review your position as a matter of some urgency.
To discuss how our experienced data protection team can help you, please contact Andrew Gallie on 0117 314 5623.
