A recent data protection case in the European Court of Justice (‘ECJ’) affects how we can transfer personal data to the United States of America. This will be important for a number of the University's contracts and data sharing arrangements.
Under data protection legislation, there are limitations on when personal data can be sent to countries outside of the EEA. Personal data can be sent where the European Commission has made a decision that the other country has equivalent arrangements in place to safeguard personal data and the EC had previously decided that transfers to organisations that were certified under the EU-US Privacy Shield* were permitted. But the ECJ’s decision means that is no longer valid.
The EU-U.S. Privacy Shield Framework was designed by the U.S. Department of Commerce and the European Commission to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union to the United States in support of transatlantic commerce.
This will affect a number of contracts and arrangements, in particular IT contracts where data is hosted in the US or involves maintenance or support in the US which accesses personal data. It may be relevant to certain software that the University uses e.g. event planning and contact management tools. It may also impact on some research arrangements where personal data is sent to the US e.g. testing of samples by US labs or sharing data under collaboration agreements with certain organisations.
In cases where we are already using the Privacy Shield to send personal data to the US, we can continue to do so for the time being. The Information Commissioner’s Office will be publishing new guidance but until then, we can carry on sharing data under the Privacy Shield in those existing arrangements. But we are not able to use the Privacy Shield for any new transfers e.g. sharing data under a new IT contract. It will still be possible to send personal data to the US but we will need to have contractual clauses in place to provide adequate protection of personal data.
For any new matters which involves personal data being sent to the US, please seek advice by emailing the Data Protection Officer. More general information about sending personal data outside of the EEA can be found on our data protection webpages here.