Email Terms & Conditions / Legal Ombudsman / Cyber Fraud Alert

Email Terms & Conditions:

This e‑mail and any attachment are strictly confidential and contain proprietary information, some or all of which may be legally privileged. It is intended solely for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you must please notify the author immediately by telephone on +4420 3588 3500, or by replying to this e‑mail. Once you have notified the sender please delete all copies of the e‑mail on your system; you must not use, disclose, distribute, copy, print or rely on this e‑mail. Furthermore, whilst we have taken reasonable precautions to ensure that this e‑mail and any attachment has been checked for viruses, we cannot guarantee that they are virus free and we shall not accept liability for any damage sustained as a result of software viruses. We would advise that you carry out your own virus checks. Any views or opinions presented in this email are solely those of the author and might not represent those of Saracens Solicitors. We use the word ‘partner’ to refer to a shareowner or director of the company, our principal place of business and the registered office is at Strand Bridge House, 140 Strand, London, WC2R 1HH. 

 

Legal Ombudsman:

We always aim for excellence but for any concerns you have about our service that we are unable to resolve to your satisfaction please click here for more information about the Legal Ombudsman. 

 

Cyber Fraud Alert:

E‑mails can be intercepted, lost or corrupted. Saracens Solicitors have no plans to change our bank details at present. Our account details are usually set out in our initial letters to you and have not changed in the last 10 years. If you have any doubt about our banking details or the content of any of our email communications, please speak with the lawyer representing you to re‑confirm the details.

Is your business transferring data unlawfully outside the EU?

International-data-transfers
Since the decision last July (2020) by the Court of Justice of the European Union (CJEU) in what is known as Schrems II, the legitimacy of international data transfers to outside of the EU has once again been thrown into question. What Has This Got To Do with My Business? You may be wondering what this has to do with you and your business? You might be surprised to learn that the chances are, it very much does. The reason for this is as follows. Many cloud and service providers use servers which are based outside of the EU. Whilst some have now moved their data inside the EU, or have an option for you to choose where your data is stored, many are still based in the US (or outside the EU). Which is a potential problem and could put your business in breach of both EU and UK data protection laws (since the UK Data Protection Act 2018 largely follows the GDPR (or General Data Protection Regulation)). Decision in Schrems II Without going into the detail of why Max Schrems took Facebook to court and what the court decided (if you want to read more about that, see here), the decision in Schrems II effectively means:
  • the EU-US Privacy Shield is now invalidated (the Privacy Shield allowed data to be transferred from the EU (and from the UK, when we were in the EU) to the US, provided the US importer had voluntarily registered itself for the Privacy Shield scheme)
  • the only method now of transferring data to third countries like the US (assuming there has been no adequacy decision by the EU Commission[1] and ignoring Binding Corporate Rules[2]) is using EU standard contractual clauses (or SCCs for short).
However, the current SCCs are arcane, largely inappropriate in today’s world and therefore under review by the EU Commission. They will be superseded later this year most likely, so contracts containing SCCs will need to be updated again when this happens (but cannot be before). It doesn’t stop there: you also now have to be an expert in surveillance laws and both the exporter and importer need to decide if the destination country’s laws are “essentially equivalent” to EU data protection laws (an easy task!), by doing the following:
  • if you conclude that the third country does not pass the ‘equivalence’ test, you need to identify and adopt supplementary measures to bring it to the level of “essential equivalence”, e.g. through the use of encryption or pseudonymisation, or by adding layers of contractual obligations on the parties or using other organisational methods
  • if there are no supplementary measures which will help, then the data should not be transferred (or if it is already being transferred, those transfers must stop immediately)
  • whatever the position above, you need to keep the situation under review, in case things change, e.g. the third country obtains (or loses) adequacy status (see footnote 1) or its laws or practices (e.g. in relation to surveillance) change
Conclusion Since Schrems II, the law in relation to data transfers has become even more complex and compliance is difficult if not challenging. Failing to carry out an appropriate assessment in relation to the destination or importing country can get the data exporter into hot water with the supervisory data protection authorities, result in fines and a prohibition on any further transfers of data to your chosen data importer, putting your business at risk. We are experts in international data transfers and can assist in the review, regularisation and drafting of standard contractual clauses as part of a data processing agreement (as well as updating them when the EU Commission approves the new versions of the SCCs due out later in 2021). Should you require further assistance or advice in relation to data transfers, please do not hesitate to contact Brian Miller on +44 (0)203 588 3538 or bmiller@saracenssolicitors.co.uk This note is intended to be general guidance of the law and not a substitute for tailored advice in individual circumstances.   [1] This is where the EU Commission determines a country’s data protection laws are largely equivalent to those of the EU and may therefore be added to the list of countries which have an adequate level of protection. [2] Binding Corporate Rules (or BCRs) are a method whereby (usually) a multi-national company can legitimise transfers between one legal entity to another, where each is in a different jurisdiction and where at least one is usually outside of the EU.
  • Accepted file types: doc, docx, pdf.
  • This field is for validation purposes and should be left unchanged.