We also reported in the April 2016 edition of the Update on the European Commission’s proposed replacement to the Safe Harbor provisions announced on 2 February 2016 – the so called “EU-US Privacy Shield”.


The EU’s Data Protection Directive 95/46/EC (Directive) provides that personal data may only be transferred

to a country outside the European Economic Area (EEA) if that country ensures an adequate level of protection for the data. This corresponds to the “Eighth Data Protection Principle” as it is set out in the Isle of Man’s Data Protection Act 2002. The European Commission has certified that a number of non-EEA countries do provide “adequate protection” and the Isle of Man is one of these jurisdictions (so called “adequacy decisions”). Inrelation to the US, the Commission developed the “Safe Harbor” arrangement whereby US companies could be certified as providing adequate protection. It was a self-certification scheme operated by the US Federal Trade Commission and provided a US company had a Safe Harbor certification, the transfer of personal data to it was permitted and complied with the terms of the Directive. It was this Safe Harbor regime that the CJEU ruled in the Schrems case was not compliant with the Directive.

The EU-US Privacy Shield

The new proposed arrangements were set out in the April 2016 edition of the Update and a copy of that article can be accessed here. Since the date of that article, the European Parliament has adopted a resolution in relation to the framework and on 8 July, member states representatives approved the final version of the EUUS Privacy Shield, although it appears that there were four abstentions from the vote. On 12 July, the European Commission adopted the new arrangement and it entered into force immediately. On the US side, the framework will be published in the Federal Register (the equivalent to the EU’s Official Journal). The US Department of Justice will start operating the Privacy Shield and companies will be able to certify with the Commerce Department from 1 August.

Why does this matter in the Isle of Man?

The Isle of Man’s Data Protection Act 2002 (DPA) is based on the Directive. The terms of the Eighth Data Protection Principle under the DPA state that “personal data shall not be transferred to a country or territory outside the Island unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” Under paragraph 23 of Schedule 1 of the DPA, if transfers are made to countries within the EEA, they are presumed to have an adequate level of protection. In addition, if the European Commission has made an adequacy finding in relation to the transfer in question then such will have effect under the DPA. This issue therefore does impact on Isle of Man entities wishing to transfer personal data to the US.

A small matter called “BREXIT”

What impact will Brexit have on all of this? As with most aspects of Brexit, we do not know the full answer at present. The new regime for data protection in the EU (the General Data Protection Regulation (GDPR)) was adopted in April 2016 and will be directly applicable in all member states without the need for implementing legislation. However, the GDPR gives member states two years to comply so it looks likely that it will apply in the UK before any formal exit by the UK from the EU. After that exit, the UK Parliament is free to have separate data protection legislation from the EU but it will make little sense for either the UK or the Isle of Man to have materially different data protection legislation to the provisions found in the GDPR, especially if either jurisdiction wants to facilitate the transfers of personal data between the UK/IOM and the EU.

There is a Chinese proverb (or is it a curse?) that states “may you live in interesting times.” I think that at present, we would all settle for matters being merely “interesting”! However, where there is uncertainty, there is opportunity and the question is therefore, what does this mean for the Isle of Man?

PDF Version

Twitter LinkedIn Email Save as PDF
More Publications
27 Sep 2022

Similar but Different

While the basic features of the trust remain, there are some notable differences in how trusts can b...

25 Jul 2022

Balancing Regulatory and Data Protection Compliance

This article considers data protection compliance in the context of financial services regulatory co...

Contributors: Claire Milne WS
30 Jun 2022

Getting into the Weeds: Isle of Man Regulation of Global Cannabis Investments

The global cannabis industry has grown rapidly in recent years as a number of jurisdictions have lib...

Contributors: Sophie Corkish
24 Feb 2022

Welcoming Fintech Innovation in the Isle of Man

The Isle of Man Financial Services Authority (IOMFSA) has published online support for fintech innov...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

25 Nov 2021

The International Comparative Legal Guide to Gambling 2022 – Isle of Man Chapter

This chapter was first published in The International Comparative Legal Guide to: Gambling 2022, by ...

Contributors: Sophie Corkish
30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
28 Jul 2021

Trust Protectors and the Exercise of Trustee Powers

The recent judgment of the Staff of Government Division in the case of Mazzoleni v Summerhill Trust ...

Contributors: Erin Trimble-Cregeen
18 Jun 2021

Isle of Man – Extension of Economic Substance Requirements to Partnerships and Limited Liability Companies

The Income Tax (Substance Requirements) Order 2021 was approved by Tynwald on 16 June 2021.  This O...

12 Mar 2021

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...