Last updated: 
1 month 3 weeks ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Safe Harbor/Privacy Shield

Monday, February 29, 2016 - 14:40

The European Commission has now published draft texts that could be used to implement an EU/US Privacy Shield to replace the previous Safe Harbor agreement. It appears that the new scheme would only cover "commercial exchanges" of personal data between the EU and US so it is unlikely to be appropriate for export of personal data to US universities or non-profit organisations. As with Safe Harbor, those need to be covered by other approved export mechanisms such as model contracts or individual consent.

For the Privacy Shield to be acceptable as a means of transfer to US companies, it will first need to be approved by the Article 29 Working Party of European Data Protection regulators. They are expecting to report in mid-April. But, like Safe Harbor, their decision could still be challenged in the European Court of Justice, so legal uncertainty is likely to persist around any new mechanism for some time.

Any organisation exporting personal data, whether to the US or elsewhere, should aim to provide a range of data protection measures, rather than relying on any single one.