“Today’s ruling is clearly significant and it is important that regulators and legislators provide a considered and clear response. This ruling is about the legal basis for the transfer of personal data to businesses that are members of the US Safe Harbor. It does not mean that there is an increase in the threat to people’s personal data, but it does make clear the important obligation on organisations to protect people’s data when it leaves the UK.
“The judgment means that businesses that use Safe Harbor will need to review how they ensure that data transferred to the US is transferred in line with the law. We recognise that it will take them some time for them to do this.
“It is important to bear in mind that the Safe Harbor is not the only basis on which transfers of personal data to the US can be made. Many transfers already take place based on different provisions. The ICO has previously published guidance on the full range of options available to businesses to ensure that they are complying with the law related to international transfers. We will now be considering the judgment in detail, working with our counterpart data protection authorities in the other EU member states and issuing further guidance for businesses on the options open to them. Businesses should check the ICO website for details over the coming weeks.
“Concerns about the Safe Harbor are not new. That is why negotiations have been taking place for some time between the European Commission and US authorities with a view to introducing a new, more privacy protective arrangement to replace the existing Safe Harbor agreement. We understand that these negotiations are well advanced."