An important GDPR update for all Compass members.

The EU Courts of Justice overturned in mid-July the previous EU-USA Privacy Shield agreement (Schrems II judgement), not for the agreement itself because the USA maintains considerable surveillance of the general population. Once EU data went to the USA the American Government could what it liked with it and no comeback.

For this alone anyone working/selling to people in the USA you should at least make a note of this in your web site/trading policies to show you recognise this state, even if you can’t do anything about it. For the EU/USA this is very much back to the drawing board.

As the dust settles on this something of a shocker, we now consider the UK’s potential agreement with the EU for GDPR after December. Meaning, we have a major barrier arising. Previously the EU has held back from granting equivalency because the UK also has wide ranging public surveillance going on under non GDPR legislation. As this is now set in EU/USA precedent, it makes it ‘impossible’ for the UK to get its GDPR equivalency as neither the UK nor EU can agree a fudge. You should already have a note in any GDPR policy that UK/EU working is subject to equivalence being giving?

After December this year, practically, the UK/USA can carry on regardless. After December UK/EU working may simply become illegal if you take a very worst-case scenario. Privacy activists in the EU/UK may seek the same judgement from the Courts of Justice against the UK and in this three way tryst UK-USA-EU a major mess awaits.

I suggest that if you keep personal data for use in the USA and EU, you begin thinking to split it between those jurisdictions. The cloud platforms can be useful for this, Azure, AWS etc. though at a cost. You will also need to be careful with online service providers such as MailChimp and such to do your best to keep data regionally. I doubt the Information Commissioner will do much in terms of claims against organisations, provided they can show they tried to keep pace with it all.

Most importantly makes sure your Standard Contractual Conditions are in place for all your data handling suppliers – anywhere. The SCC’s were held by the court to be enforceable still.

First published and Copyright in May 2020

More info can be found at Compass’ law firm’s web site.

Leave a Reply