Obtaining Valid Consent under the Data Protection Act 1998

This article was published on Lexis®PSL IT&IP in May 2016. Click for a free trial of Lexis®PSL.

Background to Consent


To satisfy the first data protection principle in the Data Protection Act 1998 (“DPA 1998”) as derived from the European Data Protection Directive 95/46/EC, data controllers must be able to demonstrate, amongst other matters, that they have met:

• one of the grounds for processing personal data under Schedule 2 of the DPA 1998; and

• if the data constitutes sensitive personal data, then in addition to this, one of the grounds for processing sensitive personal data under:

• Schedule 3 of the DPA 1998; or under

• The Data Protection (Processing of Sensitive Personal Data) Order 2000 (SI 2000/417), which sets out additional conditions which allow the processing of sensitive personal data in limited circumstances.

One of the numerous legitimising fair processing conditions that can be complied with to enable fair and legal processing of personal data governs a situation where the data controller obtains ‘consent’ from the data subject before processing the personal data or sensitive personal data.


Under the eighth data protection principle of the DPA 1998, data controllers must also show how they can legally justify transferring a data subject’s personal data outside of the European Economic Area (the “EEA”). One of the grounds that might be used to justify such a transfer is also consent (following Article 26(1)(a) of the Data Protection Directive).


The requirements to comply with the fair processing conditions under the first data protection principle and to comply with the eighth data protection principle surrounding transfer of personal data outside the EEA apply unless a relevant exemption under the DPA 1998 exists.

What does ‘consent’ mean?


Although ‘consent’ was not defined within the text of the DPA 1998, UK courts and tribunals are required to interpret the terminology used in the DPA 1998 in accordance with the wording and purpose of the Data Protection Directive 95/46/EC.


Article 2(h) of the Data Protection Directive defines consent as:

‘any freely-given specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed’.


Article 7(a) of the Data Protection Directive goes on to set out that the data subject should have unambiguously given his or her consent.


The European Union Article 29 Working Party (the “Art 29 Working Party”) has also produced Opinion 15/2011 (“the 2011 Opinion”) on their view of what is meant by ‘consent’ for the purposes of:

• Directive 95/46/EC; and

• Directive 2002/58/EC which was implemented in the UK through the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) (as revised by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011 (SI 2011/1208)) (“E-Privacy Regulations”).

Although Art 29 Working Party opinions are not directly binding on data controllers, they will be considered by the UK Information Commissioner’s Office (the “ICO”) when it is interpreting the DPA 1998. We have therefore taken account of the 2011 Opinion in drafting this Practice Note.


Is consent required and what happens if one cannot obtain consent?


As mentioned above, consent is one of a number of:

• Fair processing conditions that may be relied on to enable fair and lawful processing of personal data under the first data protection principle;

• Grounds to enable fair and lawful transfer of personal data outside the EEA under the eighth data protection principle.

It is not, therefore, mandatory to obtain consent if one of the other fair processing conditions under the first principle or one of the other international transfer grounds can be relied on.


Consent is, however, often used by UK data controllers in practice as either the sole legitimising fair processing condition (or sometimes as a back-up to another fair processing condition or grounds for processing), where it is the easiest condition or mechanism by which the data controller can show that they have complied with the DPA 1998.


That is not to say that this is always the best condition or ground for data controllers to rely on. In actual fact, it can often be a poor way to secure compliance. This is because individuals may withhold their consent, their consent may be withdrawn (see below), or indeed the reasons for which consent was originally sought and granted may have changed. In the latter case, this would mean that the data controller could no longer rely on the consent originally given.

For these reasons, it is always prudent for data controllers to consider if another fair processing condition or international data transfer ground would be better to rely on in any particular case.


Obtaining consent for the processing of sensitive personal data


Where consent is used as a legitimising ground for processing:

• Personal data under Schedule 2 of the DPA 1998, it is stated that this should be where: ‘the data subject has given his consent to the processing’;

• Sensitive personal data under Schedule 3 of the DPA 1998, it is stated that this should be where: ‘the data subject has given his explicit consent to the processing of the personal data’.

The key distinction therefore when looking at legitimate processing of sensitive personal data is that a data subject’s consent should be ‘explicit’.


The Art 29 Working Party Opinion 15/2011 sets out that ‘explicit consent’:

• Means the same as express consent;
• Encompasses all situations where individuals are presented with a proposal to agree or disagree to a particular use or disclosure of their personal information and they respond actively to the question, orally or in writing;
• Is usually given in writing with a hand-written signature or in equivalent electronic form (for example, signified online through the use of clickable icons, by sending confirmation e-mails or by using electronic or digital signatures). For example, explicit consent will be given when data subjects sign a consent form that clearly outlines why a data controller wishes to collect and further process personal data;
• While traditionally given in writing, it can also be given orally, although the Art 29 Working Party highlight that oral consent may be difficult to prove and, therefore, in practice, data controllers are advised to resort to written consent for evidentiary reasons;
• Means that consent that is inferred, implied or an ‘opt-out’ will not normally meet the requirement of explicit consent

The ICO have also set out in their guidance that ‘explicit consent’:

• Means that the data subject’s consent should be ‘absolutely clear’;
• Should only be given where the data subject has been given a clear outline of the type of information (or the specific information) being processed, the purpose of the processing and ‘any special aspects that may affect the individual, such as disclosures that will be made’.

How to obtain consent generally


The Art 29 Working Party Opinion 15/2011 sets out that when obtaining consent generally, be that explicit consent or regular consent, the following requirements should be met:

• It should be obtained before processing starts;
• It should ‘include any indication of a wish, by which the data subject signifies his agreement’;
• It should not be inferred from silence or inaction of the data subject;
• It should be freely given;
• It should be specific;
• It should be informed;
• It should be unambiguous.

We have explained each of these requirements in more detail below:

1. Consent should be obtained before processing starts
Neither the DPA 1998 nor Directive 95/46/EC specify exactly when consent should be obtained but the Art 29 Working Party Opinion 15/2011 suggests that, as a general rule, it should be obtained before the data controller starts processing personal data. The Art 29 Working Party does, however, explain that there is a difference between:

• Stuations where obtaining consent is a legal requirement (for example, in some cases when sending out direct marketing electronically or where consent is the only available ground for processing personal data under the DPA 1998 because none of the other fair processing conditions can be used to justify the processing in question. In this situation, the data controller must obtain consent before the processing starts to avoid prior processing being unlawful if the data subject does not ultimately provide consent; and
• Situations where the data subject exercises their right to object to processing. For example, the data controller may be relying on a different fair processing condition under Schedules 2 and 3 of the DPA 1998 to justify their processing (i.e. a condition other than consent). The data subject may decide to exercise their right to object to the processing being carried out or they may withdraw their consent at any time (see below), but until such times as they do so, the data controller can continue processing the personal data. Data controllers should consider any objections or withdrawal of consent promptly so that the processing continues to be fair and lawful (see below).

2. The consent should ‘include any indication of a wish, by which the data subject signifies his agreement’
The data subject should indicate his/her wishes and signify their agreement in some way that enables the data controller to understand their wishes. The method the data controller uses to obtain and record consents should be proportionate to the circumstances.
Consent does not therefore need to be in writing. It is, however, usually best practice to obtain written consent for evidentiary purposes, particularly when dealing with sensitive personal data, as the Art 29 Working Party recommends. (see above).

Obtaining consent orally or from ‘behaviour from which consent could be reasonably concluded’ may be perfectly acceptable in some circumstances, though. The Art 29 Working Party gives the example of dropping a business card in a glass bowl or an individual sending his name and address to an organisation in order to obtain information from it. “In this case his action should be understood to constitute to the processing of such data insofar as it is necessary to process and respond to the request.”


The ‘indication of wishes’ from the data subject must be clear to enable valid consent for the processing for data. To extend the example given by the Art 29 Working Party, let us assume that the data subject may have dropped their business card in a bowl in response to a sign advertising that a competition winner would be drawn from the business cards in the bowl but stating nothing else. If the sign does not make it clear that the business also intends to use the information from the business card for on-going marketing use, is it fair to assume the person consented to that, or that they merely consented to participating in the competition and being contacted for those purposes only? It seems likely that the latter would be considered the case.

3. Consent should not be inferred from silence or inaction of the data subject

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:

• For an individual to signify their agreement, there must usually be some type of active communication between the parties;
• Data controllers should not infer consent from non-response to a general communication (for example, from passive behaviour like failure to respond to a communication, return a form, tick a box or respond to a leaflet).

The Art 29 Working Party suggests that without active communication data controllers will often be unable to prove whether the data subject intended to consent.

4. Consent should be freely given

Consent has to be freely given. The Art 29 Working Party Opinion 15/2011 states that:

• Consent “can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent”.
• It has explored the limits of consent in several opinions in relation to situations where consent cannot be freely given (e.g.in its opinions on electronic health records (WP131), on the processing of data in the employment context (WP48) and on processing of data by the World Anti-Doping Agency (WP162)).
• If, once consent is withdrawn, the data processing continues based on another legal ground, doubts could be raised as to the original use of consent as the initial legal ground: if the processing could have taken place from the beginning using this other ground, presenting the individual with a situation where he is asked to consent to the processing could be considered as misleading or inherently unfair.
• In practice the data subject must have a genuine ability to refuse to give their consent or to withdraw their consent in order for consent to be ‘freely given’. In the employment context, for example, consent may be freely given provided there are appropriate safeguards in place to ensure that the employee has a genuine option to decline (see Opinion 15/2011 for more discussion about the use of consent in an employment relationship.

5. Consent should be specific

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:

• The wording used to obtain any consent should:
• Be clear and understandable;
• Relate to the actual type of data and the actual purposes of the data processing to be carried out, not to ‘an open-ended set of processing activities’ (i.e. blanket generic processing consents should not be sought for all processing, but instead the different purposes must be identified individually (e.g. international data transfer, data sharing, direct marketing etc.));
• Reflect the reasonable expectation of the parties;Give the data subject the choice to consent in respect of specific processing activities. As the ICO has described: “If you process information for a range of purposes, you should explain this to people. When doing so, you should provide a clear and simple way for them to indicate that they agree to each type of processing. In other words, people should not be forced to agree to several types of processing simply because your privacy notice only includes an option to agree or disagree to all. People may wish to consent to their information being used for one purpose but not another”.
• The ICO recommends that you should list the different purposes where you are relying on consent with individual unticked opt-in boxes for each or Yes/No buttons of equal size and prominence. Opt-in boxes can be prominently placed in your privacy notice or, with online products and services you may wish to use ‘just-in-time’ notices so that relevant information appears at an appropriate time.

• Consent will be valid ‘as long as the processing to which it relates continues'.

• If new kinds of data processing are required, new consents will need to be obtained. Consents linking back to the original notified purposes will not be valid to cover new data processing activities. Note that other fair processing conditions under Schedules 2 and 3 of the DPA 1998 might apply (as discussed above) but in any event it is likely that new fair processing information will need to be provided to the data subject in relation to the new processing that the controller intends to be carried out.

• It is acceptable for data controllers to obtain consent only once for related but different operations that take place at different times if each of those operations falls within the reasonable expectation of the data subject at the time the individual consented.

6. Consent should be informed

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that:

• Adequate fair processing information should be provided to enable compliance with the first data protection principle;
• Consent should be ‘based [on] appreciation and understanding of the facts and implications’;
• Any information given in order to obtain consent should:
• Be in a language that is clear, legible and intelligible to an average user;
• Be set out in a clear, understandable, transparent, clearly visible and prominent manner. As the ICO have stated “good practice is to use an unticked opt-in box. If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent cannot be considered valid”;
• Be easy to understand, perhaps using a multi-layered approach to privacy notices to aid understanding but ensuring that these are all clearly signposted and easy to access. See the ICO’s Privacy Notices Code of Practice for more information;
• Make clear any adverse consequences associated with the data processing; and
• Provide more detailed and appropriate information where there are complex data processing operations involved.

• Consent should be based on honest information. You should not lead people to believe that they can exercise choice over the collection and use of their personal data if in reality they have not got that choice. As the ICO have stated, “there is a fundamental difference between telling a person how you’re going to use their personal information and getting their consent”.

• To gain consent to using personal data for direct marketing purposes, you should have a separate, unticked, opt-in box prominently displayed. See the ICO’s Guidance on Direct Marketing and the ICO’s Personal Information Online Code of Practice for more detailed information on how to gain valid consent in the marketing context.

7. Consent should be Unambiguous

The ICO’s guidance and the Art 29 Working Party Opinion 15/2011 set out that for consent to be unambiguous:

• It should not usually be based on inaction or silence from data subjects as this always carries inherent ambiguity;
• There should be ‘no doubt as to the data subject's intention to deliver consent’ i.e. as per the Opinion, “the indication by which the data subject signifies his agreement must leave no room for ambiguity regarding his/her intent. If there is a reasonable doubt about the individual's intention, there is ambiguity”;
• Data controllers should have implemented robust procedures to capture consents appropriately (whether that is clear express consent or clear inferred consent) and to ensure that the person giving consent is actually the data subject (especially where consent is obtained over the telephone or online)
• Data controllers should keep evidence of the consents obtained and how they were obtained.

Unambiguous consent may be obtained using different methods of collection (such as signed or written statements, online forms which are ticked or express oral recorded consent), as discussed elsewhere in this practice note.

We have set out below some examples below of how one might gain valid consent in different scenarios (e.g. in relation to children, where there are incapacity issues etc.).


Consent from Children and Others with Incapacity


Neither the DPA 1998 nor Directive 95/46/EC specify how consent should be obtained from individuals who lack full legal capacity, including children.

The Art 29 Working Party Opinion 15/2011 sets out that:

• The conditions for obtaining valid consent from children vary across the EEA.
• When children's consent is sought, legal requirements may require obtaining the consent of the child and the representative, or the sole consent of the child if he or she is already mature. The ages when one or the other rule applies vary. There are no harmonized procedures for verifying a child’s age.

The ICO's ‘Personal Information Online Code of Practice’ sets out how to obtain consents from vulnerable individuals and children in the context of the online environment. This guidance may perhaps be extended to offline processing of information relating to children and vulnerable people as well, but the ICO has not made this clear. Some of the key points coming out of that ICO guidance are as follows:

• The ICO refers to ‘vulnerable people’ as, “anyone who, for whatever reason, may find it difficult to understand how their information is used. This could be because they are children, have a learning disability or lack technological understanding”.
• The DPA 1998 requires fair processing of personal data – this applies regardless of the level of understanding of the people you collect information from. Data Controllers should therefore assess the level of understanding of the people their service is aimed at and must not exploit any lack of understanding from those people. This can be particularly challenging when engaging with people online.
• In the UK there is no simple legal definition of a ‘child’ based on age alone. Children of a similar age can have different levels of maturity and understanding. Data Controllers should consider the particular circumstances of the processing as well as the individuals’ ability to understand these to ensure that children’s data is processed fairly.
• Assessing understanding, rather than merely determining age, is the key to ensuring that personal data about children is collected and used fairly. Having said that, a practical view would be that some form of parental consent would normally be required before collecting personal data from children under 12. You will need to look at the appropriate form for obtaining consent based on any risk posed to the child. You may even decide to obtain parental consent for children aged over 12 where there is greater risk. This has to be determined on a case by case basis.
• The ICO recommends consideration of other laws, industry rules and codes of practice to consider if any restrictions on apply to children under a certain age.
• The ICO also highlights various instances in which it is good practice to seek parental consent relating to the collection or use of information about a child.

Withdrawing consent

Data subjects may withdraw their consent to data processing at any time but it will not have retroactive effect.

The Art 29 Working Party refer in Opinion 15/2011 to its previous Opinion 5/2005 on Article 9 of Directive 2002/58/EC in which it formulated the view that:

• Withdrawal of consent relates to withdrawal in relation to future processing, not for the data processing that took place in the past, in the period during which the data was collected legitimately;
• Decisions or processes previously taken on the basis of this information can therefore not be simply annulled. However, if there is no other legal basis justifying the further storage of the data, they should be deleted by the data controller.

This means that in practice a withdrawal of consent requires data controllers to stop processing any personal data where that processing was carried out on the basis of that consent (see ‘Is consent required and what happens if we can’t obtain consent?’ above).


Rights around withdrawal of consent were further considered in the ECJ case of Google Spain SL and another v Agencia Española de Protección de Datos (AEPD) and another (Case C-131/12) in which data subjects were entitled to ask a search engine operator that has ‘a branch or a subsidiary’ in an EU member state to delete from websites any links to the data subject’s name.

What is changing in relation to consent under the GDPR?

It is intended that Directive 95/46/EC will be replaced by a new General Data Protection Regulation (the “GDPR”), which is due to come into force on 25 May 2018. For more information on the GDPR reforms and their likely impact on your organisation, contact us.

You can't rely on the US Privacy Shield yet - EU report says 'must do better'

You’ll recall that on February 29^th 2016, following months of intense negotiations, the European Commission unveiled the current proposals for the proposed new EU-U.S. Privacy Shield to enable compliant transfer of personal data from the EU to the US following the dismantling of the US Safe Harbor Scheme.  You’ll see our original blog article about it here.  As discussed in our original Blog, this proposed new compliance mechanism seemed fraught with political wrangling from the beginning.

It is disappointing, if not unsurprising perhaps, that the EU Article 29 Working Party (made up of data protection regulators from 28 Member States) (“Art29 WP”) recently declared that in their view the proposed self-certification US Privacy Shield is insufficient to protect the privacy of EU citizens and fails to meet EU adequacy standards. This means that anyone ‘holding out’ for the Privacy Shield to be finalised and turning a blind eye to compliance involving transfers of personal data to the US must certainly no longer continue to do so. It doesn’t look like there will be a definite solution in relation to the Privacy Shield anytime soon.

Although it was noted by the Art 29 WP that the Privacy Shield had made some improvements to the old US Safe Harbor Scheme, there were still a number of great concerns raised.  For example, the lack of clear rules surrounding data retention, over-collection and sharing of information for national security purposes and insufficient legal remedies for EU citizens. 

While the Art29 WP also raised some concerns about the adequacy of Binding Corporate Rules and the EU Standard Contractual Clauses, it has made clear that organisations can, for now, continue to use these mechanisms to enable compliance when transferring personal data outside the EEA. The Art29 WP will look into this issue again when the European Commission has made its decision on the adequacy of the Privacy Shield regime. Although this is expected to happen by June 2016, recent reports have made this deadline look rather shaky. 

At the end of April 2016, the U.S. Undersecretary of Commerce for International Trade made it clear that the U.S is not keen renegotiate the Privacy Shield and that believed that although the Art29 WP’s report was important, the U.S was not inclined to upset the “delicate balance that was achieved” through the Privacy Shield negotiations.

The continued debate means that organisations that already transfer personal data across the water to the U.S face sustained uncertainty. 

Don't get caught out without a compliant US transfer solution in the meantime. If you need our advice on how to transfer personal data legally to the U.S, please contact us.

Elizabeth Denham formally approved as the new UK Information Commissioner

Following the ICO's announcement back in March 2016, Elizabeth Denham has been formally approved as the next UK Information Commissioner from Summer 2016.

The UK Culture, Media and Sport select committee approved Elizabeth Denham as the new UK Information Commissioner on 27 April 2016.  Subject to receiving final approval from Her Majesty The Queen, Elizabeth Denham will succeed Christopher Graham as Information Commissioner in Summer 2016.


Jesse Norman MP, Chair of the Select Committee, said:

"The Committee noted with interest Ms Denham’s views on a range of topics, including the possible retention of emails as official records, the extension of FOI and directors’ liability for data breaches, in particular.  We also noted Ms Denham’s track record on data protection with Government in British Columbia, and her proactive approach to protection of privacy with major international technology companies."

Elizabeth Denham has previously said:

"I am honoured to be nominated for the position of Information Commissioner for the UK. I believe the rapid pace of technological change we face will continue to accelerate and present challenges to information rights – we must ensure access to information while maintaining high standards of data protection. The Information Commissioner’s Office has a global reputation for practical, innovative and responsive regulation. I look forward to contributing to this work."

Elizabeth Denham is currently the Information and Privacy Commissioner for British Columbia.  She is an inspired choice for the position. The UK regulator will need the wealth of her experience and as much stability as possible given all the changes coming under the new European General Data Protection Regulation.  We are delighted to hear that Elizabeth's recommendation has been approved by the Select Committee and wish her much success in the new role.  

Ding Dong Safe Harbor is dead: Long Live the EU-US Privacy Shield???

Announcement of the new ‘EU-US Privacy Shield’

We have previously reported the demise of the US Safe Harbor scheme in our October 2015 and January 2016 Pritchetts Blog reports.


Just after the end of 3 month so called grace period that was introduced to try and find a new compliance mechanism to permit transfer of personal information from the EEA to the USA, the European Commission announced that a new agreement had been reached on 2nd February 2016.


Key Facts about the new US international personal data transfer compliance mechanism:

• The new scheme will replace the previous US Safe Harbor Scheme and is to be called the ‘EU-US Privacy Shield’; It is due to come into force within 3 months - if agreed (see below);
• According to Andrus Ansip, the Vice-President of the European Commission, and Věra Jourová, Commissioner for Justice, Consumers and Gender Equality, who made the announcement, the new arrangement reflects the requirements set out by the European Court of Justice in the case of Maximilian Schrems v. Data Protection Commissioner (C-362-14) (which we have reported on previously here); On announcing the new scheme Věra Jourová said: “The new EU-US Privacy Shield will protect the fundamental rights of Europeans when their personal data is transferred to US companies. For the first time ever, the US has given the EU binding assurances that the access of public authorities for national security purposes will be subject to clear limitations, safeguards and oversight mechanisms. Also for the first time, EU citizens will benefit from redress mechanisms in this area. In the context of the negotiations for this agreement, the US has assured that it does not conduct mass or indiscriminate surveillance of Europeans. We have established an annual joint review in order to closely monitor the implementation of these commitments.”

 
EU negotiators suggested that the new scheme will:

• Create tougher obligations on US companies storing personal data relating to EEA citizens;
• Enhanced enforcement by the US Department of Commerce and Federal Trade Commission; 
• More co-operation between the US and EEA data protection regulators; 
• Limit access to EEA personal data by US public authorities; 
• Create rights for EEA citizens to raise any concerns about the scheme with a new Ombudsman.

The European Commission are to prepare a draft adequacy decision, which is then to be discussed with the EU Article 29 Working Party.

 

 

So is that it? Are we all set to use the new ‘EU-US Privacy Shield’ in 3 months’ time?

We have reported previously on the views of the EU Article 29 Working Party (“Art29 WP”) on this issue. That group have continued meeting over the last few months to consider alternative options to the US Safe Harbor Scheme, primarily the use of the approved EC Standard Contractual Clauses and Binding Corporate Rules.


Now, following announcement of the proposed new EU-US Privacy Shield, the Art29 WP has released a statement setting out their current view that although the European Commission have agreed to go ahead with the new EU-US Privacy Shield, the Art29 WP were not involved in negotiations over the new scheme and as a result only have verbal commitments from the European Commission that the issues previously raised by the Art29 WP have been adequately dealt with.

The Art29 WP have set out four key protections that must be put in place, following EEA case law, before any US international personal data transfer takes place: 

• Personal data should be processed based on clear, precise and accessible rules, including those allowing individuals to properly understand the various locations where their data are transferred; 
• The principles of necessity and proportionality must be exercised in relation to the transfer of personal data. A balancing exercise should be carried out to consider the rights of individuals as well as the purposes for which data are collected and accessed for national security reasons; 
• An effective, impartial and independent oversight mechanism should exist to monitor the collection of and access to personal data; 
• Effective remedies must be made available to individuals to defend their rights.

The Art29 WP have also:

• Expressed reservations about whether the new scheme will ensure these protections are in place and have made it clear that they would like to see full documentation relating to the proposed new scheme by the end of February 2016 in order to consider these issues further. Only then will it be able to issue a detailed statement on its views;
• Indicated that it has similar concerns about the other compliance mechanisms currently permitting EU-US transfer ( for example, binding corporate rules and the use of the EC model contractual clauses). The group plan to carry out an analysis of these other options also;
• Arranged to hold an extraordinary plenary meeting in late March 2016. Following that group will consider what personal data transfer mechanisms remain valid for US personal data transfers. The Chairperson of the Art29 WP, Isabelle Falque-Pierrotin, hopes that a final decision could be made by the end of April 2016;
• Made it clear that in the meantime personal data transfer to the US cannot carry on relying on the previous Safe Harbor scheme. It encourages organisations to consider putting the other EEA international data transfer compliance mechanisms in place.

The European Parliament have also issued some concerns about the proposed new scheme in its press release stating amongst other concerns that “MEPs also voiced strong concerns over the envisaged safeguards to limit data collection, underlined the need to ensure an independent and individual complaints mechanism as well as access to judicial redress for EU citizens”.



The reaction to this new scheme has been mixed across Europe. One commentator from the Group of the Alliance of Liberals and Democrats for Europe stated: "We urgently need a thorough legal appraisal of the safeguards offered by the US. The legal status of these safeguards is very unclear. It is highly doubtful that they offer meaningful protection to European citizens, or if they meet the standards set by the ECJ."

So what do we do now, especially if we are not even sure that the Privacy Shield will go ahead?

Given the apparent reluctance to commit to the Privacy Shield from many of the European Authorities, it seems that the Privacy Shield is far from a done deal.


No doubt some national data protection authorities will take a more hard line approach to enforcement in this area over the coming months. Although we believe the ICO are likely to take a light touch approach to enforcement action in the short term, ultimately, doing nothing and waiting for a political solution is not really an option for organisations.


As above, it has been made absolutely clear that reliance on the old Safe Harbor scheme is no longer legal. Any organisations who have been taking a ‘wait and see’ approach have therefore a lot to do and fast.


For now, the Art29 WP has confirmed its position that the model clauses and binding corporate rules remain valid transfer mechanisms, pending deeper analysis.


Any organisations that have been relying on these compliance mechanisms to transfer data to the US may therefore decide to continue taking a ‘wait and see approach’ in relation to these approaches. Although, those in jurisdictions with tougher regulatory regimes may find that their regulators begin to take more stringent action, so watch this space.


We set out our thoughts on what compliance action you should consider taking at this stage under the heading ‘How have businesses reacted to the development?’ in our January Blog article. That Blog also sets out the likely changes under the proposed new European General Data Protection Regulation. Our opinion set out in that Blog remains the same after recent announcements.


Please do consider contacting Pritchetts if we can be of any assistance to you in carrying out analysis of your compliance options or indeed helping you put alternative compliance mechanisms in place.