Welcome to our UK site – choose your Jurisdiction

Get a Quote

Personal Data: US Safe Harbor

Principle 8 of the Data Protection Act (Schedule 1) prevents the transfer of personal data to a country outside the EEA unless that country has an adequate level of protection.

The Information Commissioner’s Office (ICO) website includes a list of non-EEA countries that the European Commission has determined have an adequate level of protection for personal data. The (short) list includes countries such as the Faroe Islands and Uruguay but the US is conspicuous by its absence.

However based upon a previous European Commission Decision (2000/520), personal data sent to the US under the voluntary ‘Safe Harbor’ scheme is adequately protected. To fall within this, US firms have to (a) sign up to the Safe Harbor arrangement under which it agrees to follow the principles of data handling and (b) be held responsible for keeping those principles by the Federal Trade Commission (or other oversight scheme).

The ‘Safe Harbor Privacy Principles’ and FAQs can be found in Annexes I and II of the Decision. Note from Annex III (‘Section 5 Exceptions’) that certain companies such as US financial institutions are not covered by the Safe Harbor scheme – a list of companies that have signed up to the regime is available on the US Department of Commerce’s website.

On 6 October a press release by the Court of Justice of the European Union (CJEU) declared that Decision 2000/520 was invalid.

In practical terms, not being able to rely on ‘Safe Harbor’ is not the same as being unable to transmit personal data to the US and indeed the message from the ICO (in both an official statement and blog) is ‘don’t panic’. Firms that have relied on ‘Safe Harbor’ when transferring personal data to the US should refer to the ICO guidance on Principle 8 – which includes European Commission model contractual clauses and the assessment of adequacy of protection – and the stand-alone ‘ICO Assessing Adequacy’ guidance. Affected firms may take comfort from the ICO blog (from the Deputy Commissioner and Director of Data Protection) that “We’re certainly not rushing to use our enforcement powers. There’s no new and immediate threat to individuals’ personal data that’s suddenly arisen that we need to act quickly to prevent”.

Why Choose Complyport?

Extensive Regulatory Expertise

With over 25 years of experience in the financial services industry, Complyport offers unparalleled expertise in regulatory compliance, ensuring your firm stays ahead of evolving regulations.

Comprehensive Service Offering

From AML audits to risk management and regulatory reporting, Complyport provides a full spectrum of compliance services, allowing you to streamline your compliance processes and focus on your core business activities.

Tailored Compliance Solutions

We provide bespoke compliance solutions that are specifically designed to meet the unique needs of your business, ensuring that all regulatory requirements are met efficiently and effectively.

Client-Centric Approach

We provide bespoke compliance solutions that are specifically designed to meet the unique needs of your business, ensuring that all regulatory requirements are met efficiently and effectively.

Senior-Level Guidance

Our team of seasoned professionals, including former regulators and industry experts, leads all engagements, offering deep insights and practical advice to help you manage compliance risks effectively.

Innovative Fintech, Regtech and AI Solutions

Leveraging cutting-edge fintech, regtech and AI tools, Complyport enhances your compliance processes with advanced technology, ensuring accuracy, efficiency, and real-time regulatory updates. Our innovative solutions empower your firm to stay compliant while maximising operational efficiency.

Key Figures

Over 25 Years

Providing Compliance Excellence

Over 1,500

Successful FCA and EU Authorisations

Over 1,000

Active Firms Receiving Regulatory Support

Go UP

Get In Touch