- UK businesses which transfer to or share with US companies any databases containing personal data have to comply with rules set out in the Data Protection Act to ensure that the transfer or sharing protects the individuals’ privacy rights.
- One way of doing this was a voluntary scheme set up by the US Department of Commerce called “Safe Harbor”. The EU’s highest court has now ruled that Safe Harbor is not fit for purpose and cannot be used.
- Transfers/sharing which relied on Safe Harbor therefore breach the DPA and, after 31 January 2016, further transfers risk enforcement action, including fines.
- Other compliance methods can be used instead, but these need to be put in place quickly to stay within the law.