Thousands of UK businesses who use US companies to process personal data can breathe a sigh of relief after it was deemed that the data protection standards of companies across the pond that are registered with the EU-US Privacy Shield are up to scratch.

The EU Commission has recently concluded that the EU-US Privacy Shield, a legal framework which ensures protection of data processed by US companies for EU businesses, is providing adequate protection in line with the implementation of GDPR last May.

The GDPR states that businesses should not transfer personal data to a third party based in a country outside the European Economic Area (EEA) unless it provides an adequate level of protection.

Patrick McCallum, a data protection and commercial solicitor at Wright Hassall, said the decision is good news for UK businesses, who have been saved a lot of time and money, but warned that changes may have to be made in 12 months.

McCallum said: “Put simply, many UK businesses that previously relied on the Privacy Shield in order to carry out vital data processing activities would have been in breach of GDPR had the EU Commission not deemed its protection levels to be adequate.

“Businesses would have had to try to negotiate and agree variations to their contracts with their US data processors which imposed the necessary EU model contract causes on those US companies.

“This would have been very time consuming and costly, while US companies may not have been willing or able to accept such variations.

“Whilst there are still doubts as to the long term legitimacy of the Privacy Shield, the finding provides reassurance for the next 12 months at least.”

Despite the positivity, there is one potential factor which could see the good news turn to bad for UK companies much sooner than 2020.

The EU Commission’s decision is conditional on the US government appointing a permanent Privacy Shield ombudsperson by February 28, something which has not yet happened.

McCallum said: “All eyes will be on the US government to see if this appointment is made in time.

“If it fails to do so it will be interesting to see whether the EU Commission reverses its decision.

“Regardless of the safeguards that the Privacy Shield provides, UK businesses should ensure they are fully aware of: (a) whether any third parties are processing personal data on their behalf; (b) where these third parties are based, particularly if this is outside the EEA; and (c) whether the protection put in place by these third parties is adequate.”

About the author

Patrick McCallum Solicitor

Patrick assists the Outsourcing, Technology and Commercial Team on general commercial matters.