UCL Legal Services guidance: sharing personal information with an organisation based in the USA
20 October 2015
On 6 October 2015, the European Court of Justice ruled that the 'US Safe Harbour' agreement used to legally transfer personal data to the USA is invalid.
This agreement previously enabled US based organisations to voluntarily join a US federal government backed scheme whereby they agreed to abide by a number of data protection terms and in return the European Commission recognised that this was as good as having to comply with European data protection laws. This meant that it was relatively straight forward to share personal data with US organisations.
This Court's decision was mostly reported as being significant to Facebook, Google, Microsoft and other big US companies, however it will also have implications for anyone that regularly transfers identifiable information to companies or organisations based in the United States and this will include UCL.
- Any transfer of personal data to a country outside of the EEA (European Economic Area) requires specific considerations, Safe Harbour was just one element which related specifically to the US.
- UCL cannot enter into any new agreements which rely on Safe Harbour to share personal information with the USA and we must instead find an alternative means of validating the transfer.
- The ruling invalidates existing agreements which rely on Safe Harbour and in time, when further information and guidance has emerged from the European Commission and the Information Commissioner's Office, these agreements will need to be reviewed and amended in order for the transfers to continue.
If you are planning on transferring personal data to a country outside of the EEA, either as part of a disclosure for a particular purpose such as collaborative research, or because you are thinking of using a non-EEA based company to provide a particular service or function, please seek advice by contacting the UCL Data Protection team: firstname.lastname@example.org.
Further information about sharing personal data with a country outside the EEA can be found here:
Alex Daybank, UCL Data Protection Officer, UCL Legal Services
UPDATE (Dec 2019): Organisations are now required to sign up to the EU/US Privacy Shield in order to provide adequacy with the EU. You can check if a company has signed up by checking here.