As we reported in our October 2015 edition of the Isle of Man Regulatory Update, the Court of Justice of the European Union (CJEU) ruled on 6 October 2015 (the Schrems case – Case C-362/14) that organisations cannot rely on the European Commission approved Safe Harbor scheme when transferring personal data from the European Union (EU) to the United States of America (US).

Background

The EU’s Data Protection Directive 95/46/EC (Directive) provides that personal data may only be transferred to a country outside the European Economic Area (EEA) if that country ensures an adequate level of protection for the data. This corresponds to the “Eighth Data Protection Principle” as it is set out in the Isle of Man’s Data Protection Act 2002. The European Commission has certified that a number of non-EEA countries do provide “adequate protection” and the Isle of Man is one of these jurisdictions (so called “adequacy decisions”). In relation to the US, the Commission developed so called “Safe Harbor” arrangements whereby US companies could be certified as providing adequate protection. It was a self-certification scheme operated by the US Federal Trade Commission and provided a US company had a Safe Harbor certification, the transfer of personal data to it was permitted and complied with the terms of the Directive.

Safe Harbor arrangements had come under increased scrutiny and criticism following Edward Snowden’s revelations in 2013 about US security agencies accessing personal data, all of which culminated in the CJEU’s decision in the Schrems case.

The Safe Harbor provisions underpinned a number of commercial arrangements and transfers between the US and the EU and it has been a difficult few months for many organisations to put in place replacement provisions. The other mechanisms to allow compliance with the Directive, such as use of EU Model Contracts and Binding Corporate Rules, still apply post the CJEU’s decision in the Schrems case. However, since the decision, the European Commission has been trying to develop a replacement to the Safe Harbour provisions and it announced the new arrangement for transatlantic data flows on 2 February 2016 – the EU-US Privacy Shield.

Share
Twitter LinkedIn Email Save as PDF
More Publications
30 Jun 2022

Getting into the Weeds: Isle of Man Regulation of Global Cannabis Investments

The global cannabis industry has grown rapidly in recent years as a number of jurisdictions have lib...

Contributors: Sophie Corkish
24 Feb 2022

Welcoming Fintech Innovation in the Isle of Man

The Isle of Man Financial Services Authority (IOMFSA) has published online support for fintech innov...

25 Nov 2021

Regulatory Approach to ESG across the Crown Dependencies

New requirements may require investment products to display a label reflecting their sustainability ...

25 Nov 2021

The International Comparative Legal Guide to Gambling 2022 – Isle of Man Chapter

This chapter was first published in The International Comparative Legal Guide to: Gambling 2022, by ...

Contributors: Sophie Corkish
30 Jul 2021

Fighting international fraud

First published in New Law Journal, July 2021. Appleby partners Anthony William and Jared Dann an...

Contributors: Jared Dann, Claire Corkish
28 Jul 2021

Trust Protectors and the Exercise of Trustee Powers

The recent judgment of the Staff of Government Division in the case of Mazzoleni v Summerhill Trust ...

Contributors: Erin Trimble-Cregeen
18 Jun 2021

Isle of Man – Extension of Economic Substance Requirements to Partnerships and Limited Liability Companies

The Income Tax (Substance Requirements) Order 2021 was approved by Tynwald on 16 June 2021.  This O...

12 Mar 2021

Material adverse change clauses in light of the Covid-19 pandemic

Experts from each of our key global offices provide jurisdiction specific advice and answer question...

8 Mar 2021

Appleby Celebrates International Women’s Day

International Women’s Day is celebrated annually in support of gender equality and equal participa...