Things have moved on to a limited degree since the final decision in the Schrems v Data Protection Commissioner case which just about demolished the Safe Harbour provisions for data transfer to the USA.
In what is seen as a significant move, the US Congress has passed, virtually nodded through, the Judicial Redress Act. It is seen as a step towards addressing concerns about data transfer to the US by allowing non US citizens to bring private actions against US agencies. One should warn against getting carried away as there are limitations and the major problem remains: data sent to the USA is not secure from state interception. It is expected to pass into law early next year, as is the European General Data Protection Regulation. Whilst the latter’s creation was pre Schrems, it is likely to have an effect on the drafting of the replacement of Safe Harbour. The full implementation is not likely until 2017, but only the foolish would ignore its provisions.
A Safer Harbour Mk II would not appear to be arriving any time soon, if at all, and in the meantime any transfer of data to the USA using Safe Harbour provisions are, and will remain for some time, unlawful.
The Article 29 Working Party has suggested a period of grace, which ends on 31 January 2016, although this is not a carte blanche to ignore the problems. Whilst prosecution of an offence that would not have been one before the decision is unlikely before that date, it has not been entirely ruled out. Further, if you transfer data to and from other EU countries, and then to the USA, you should be aware that they might have their own requirements.
It is a mess and many companies are in a conundrum as to what the best tactics might be. As mentioned previously, it is essential that you look into what you are doing now and produce a report as to what changes you must make by 31 January. If the report includes changes that could be implemented immediately in order to comply, then it is suggested that you should implement them at once regardless of the period of grace. Any changes that require further consideration should not be shelved as pending, but worked on to ensure that they can be implemented as soon as possible.
There are suggestions that a flexible approach to prosecution is the most probable response but one would have to be something of an optimist to depend on it. Whilst penalties might be low in the early stages, any complaints or private actions might well cost your reputation.
We await direction from the various local legislative and advisory bodies in individual EU states. In the meantime this is obviously difficult times for any business that transfers data to the USA and, probably, outside the EU. On the upside, this might well lead to closer co-operation between the EU and the USA on the matter of the protection of personal data.
In the meantime, check the ICO website regularly for updates and advice, and record what you are doing to protect your data, and in doing so protect your company.