As we reported in our October 2015 edition of the Isle of Man Regulatory Update, the Court of Justice of the European Union (CJEU) ruled on 6 October 2015 (in the Schrems case) that organisations cannot rely on the European Commission approved Safe Harbor scheme when transferring personal data from the European Union (EU) to the United States of America (US). We also reported in the April 2016 edition of the Update on the European Commission's proposed replacement to the Safe Harbor provisions announced on 2 February 2016 - the so called "EU-US Privacy Shield".
The EU's Data Protection Directive 95/46/EC (Directive) provides that personal data may only be transferred to a country outside the European Economic Area (EEA) if that country ensures an adequate level of protection for the data. This corresponds to the "Eighth Data Protection Principle" as it is set out in the Isle of Man's Data Protection Act 2002. The European Commission has certified that a number of non-EEA countries do provide "adequate protection" and the Isle of Man is one of these jurisdictions (so called "adequacy decisions"). Inrelation to the US, the Commission developed the "Safe Harbor" arrangement whereby US companies could be certified as providing adequate protection. It was a self-certification scheme operated by the US Federal Trade Commission and provided a US company had a Safe Harbor certification, the transfer of personal data to it was permitted and complied with the terms of the Directive. It was this Safe Harbor regime that the CJEU ruled in the Schrems case was not compliant with the Directive.
The EU-US Privacy Shield
The new proposed arrangements were set out in the April 2016 edition of the Update and a copy of that article can be accessed here. Since the date of that article, the European Parliament has adopted a resolution in relation to the framework and on 8 July, member states representatives approved the final version of the EUUS Privacy Shield, although it appears that there were four abstentions from the vote. On 12 July, the European Commission adopted the new arrangement and it entered into force immediately. On the US side, the framework will be published in the Federal Register (the equivalent to the EU's Official Journal). The US Department of Justice will start operating the Privacy Shield and companies will be able to certify with the Commerce Department from 1 August.
Why does this matter in the Isle of Man?
The Isle of Man's Data Protection Act 2002 (DPA) is based on the Directive. The terms of the Eighth Data Protection Principle under the DPA state that "personal data shall not be transferred to a country or territory outside the Island unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data." Under paragraph 23 of Schedule 1 of the DPA, if transfers are made to countries within the EEA, they are presumed to have an adequate level of protection. In addition, if the European Commission has made an adequacy finding in relation to the transfer in question then such will have effect under the DPA. This issue therefore does impact on Isle of Man entities wishing to transfer personal data to the US.
A small matter called "BREXIT"
What impact will Brexit have on all of this? As with most aspects of Brexit, we do not know the full answer at present. The new regime for data protection in the EU (the General Data Protection Regulation (GDPR)) was adopted in April 2016 and will be directly applicable in all member states without the need for implementing legislation. However, the GDPR gives member states two years to comply so it looks likely that it will apply in the UK before any formal exit by the UK from the EU. After that exit, the UK Parliament is free to have separate data protection legislation from the EU but it will make little sense for either the UK or the Isle of Man to have materially different data protection legislation to the provisions found in the GDPR, especially if either jurisdiction wants to facilitate the transfers of personal data between the UK/IOM and the EU.
There is a Chinese proverb (or is it a curse?) that states "may you live in interesting times." I think that at present, we would all settle for matters being merely "interesting"! However, where there is uncertainty, there is opportunity and the question is therefore, what does this mean for the Isle of Man?
Article first published by Appleby in August 2016
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.