As we reported in our October 2015 edition of the Isle of Man Regulatory Update, the Court of Justice of the European Union (CJEU) ruled on 6 October 2015 (the Schrems case – Case C-362/14) that organisations cannot rely on the European Commission approved Safe Harbor scheme when transferring personal data from the European Union (EU) to the United States of America (US).

Background

The EU’s Data Protection Directive 95/46/EC (Directive) provides that personal data may only be transferred to a country outside the European Economic Area (EEA) if that country ensures an adequate level of protection for the data. This corresponds to the “Eighth Data Protection Principle” as it is set out in the Isle of Man’s Data Protection Act 2002. The European Commission has certified that a number of non-EEA countries do provide “adequate protection” and the Isle of Man is one of these jurisdictions (so called “adequacy decisions”). In relation to the US, the Commission developed so called “Safe Harbor” arrangements whereby US companies could be certified as providing adequate protection. It was a self-certification scheme operated by the US Federal Trade Commission and provided a US company had a Safe Harbor certification, the transfer of personal data to it was permitted and complied with the terms of the Directive.

Safe Harbor arrangements had come under increased scrutiny and criticism following Edward Snowden’s revelations in 2013 about US security agencies accessing personal data, all of which culminated in the CJEU’s decision in the Schrems case.

The Safe Harbor provisions underpinned a number of commercial arrangements and transfers between the US and the EU and it has been a difficult few months for many organisations to put in place replacement provisions. The other mechanisms to allow compliance with the Directive, such as use of EU Model Contracts and Binding Corporate Rules, still apply post the CJEU’s decision in the Schrems case. However, since the decision, the European Commission has been trying to develop a replacement to the Safe Harbour provisions and it announced the new arrangement for transatlantic data flows on 2 February 2016 – the EU-US Privacy Shield.

Share
Twitter LinkedIn Email Save as PDF
More Publications
30 Jul 2021 |

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
28 Jul 2021 |

Trust Protectors and the Exercise of Trustee Powers

The recent judgment of the Staff of Government Division in the case of Mazzoleni v Summerhill Trust ...

Contributors: Erin Trimble-Cregeen
18 Jun 2021 |

Isle of Man – Extension of Economic Substance Requirements to Partnerships and Limited Liability Companies

The Income Tax (Substance Requirements) Order 2021 was approved by Tynwald on 16 June 2021.  This O...

12 Mar 2021 |

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021 |

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...

8 Dec 2020 |

The International Comparative Legal Guide to Gambling 2021 – Isle of Man Chapter

This chapter was first published in The International Comparative Legal Guide to: Gambling 2021, by ...

Contributors: Sophie Corkish
30 Oct 2020 |

When Worlds Collide – How COVID is Connecting Technology with Natural Resources

Dating back to the beginning of 2020, the natural resources sector has been extremely active at both...

Contributors: Peter Colegate