Schrems II – Concluding Note

As avid readers of our posts will know we have been highlighting the issues UK businesses face as a result of the court decision turning off the data tap to the USA in a wide range of situations.

Most of our readers will now know that the EU really only approves of its own legalising mechanism of Standard Contractual Clauses (otherwise known as Model Contracts).

To recap, sending personal data out of the UK/EU is frowned upon unless it is going to a safe, approved country (the countries of the EU, EEA, Argentina, Canada and a couple of others). If it is going to any other country there has to be a contractual method in place to safeguard that data.

The reason the EU cancelled the US approved mechanism which is called the Privacy Shield, was because the court decided the USA was not a safe country to send our personal data to, and that was because the US Government can force companies there to hand over any personal data, even that of EU/UK citizens, and the Privacy Shield did not give any safeguards or rights of action to EU citizens if that were to happen.

However, they decided that their own EU Model Contracts did provide sufficient safeguards and rights to citizens, but that is now slightly changed and the data protection authorities are now saying that any business that uses EU Model Contracts has to review the position and, if necessary, put in place additional safeguards for personal data going to the USA.

Now, either the Model Contracts are strong enough to protect EU/UK data or they are not.

So, what it at the root of this confusion?

Quite simply, it is the fact that the US Government can demand businesses there hand over any personal data even if it there on an EU Model Contract basis, because although that document does say the individual will have rights of action, who in reality is going to take on the might of the US Government in US courts? Nobody I know.

Which is why the EU authorities are saying you have to consider what real safeguards you, as a business, can put in place. Will that mean taking out an insurance policy to cover legal actions in the USA, or encrypting the data and holding the keys here, or something else?

As said above, it has to be considered on a case by case basis or run the risk. Wouldn’t it be easier to move it to the UK? There must be a way.

For more information and support please contact our GDPR Specialist:

Ian Sinclair-FordGDPR Specialistian.sinclairford@glenvillewalker.comT: 0151 305 9650 | M: 07786 394 679