The General Data Protection Regulation (“GDPR”) applies to controllers and processors established in the European Economic Area (“EEA”), as well as controllers and processors established outside of the EEA that monitor the behavior of, or offer goods or services to, data subjects within the EEA. Following the UK’s exit from the EU, a transition period is in place until December 31, 2020. At the end of this transition period, the UK will be deemed a third country falling outside the EEA. One of the consequences is that even if the UK’s privacy law, the UK Data Protection Act 2018, is based on the GDPR, the rules to transfer data outside the UK will not necessarily be the same as the ones to transfer data outside the EEA. In this blog post, we analyze whether transfers from the UK to the U.S. in reliance on the Privacy Shield Framework (a transfer tool recently invalidated by the European Court of Justice and the Swiss Federal Data Protection Authority) are and will be permitted.
Using the Privacy Shield to Transfer Personal Data from the UK Before the End of the Transition Period
Back in July, the European Data Protection Board (“EDPB”) published a set of FAQs on Schrems II, the judgment where the Court of Justice of the European Union invalidated the Privacy Shield. In that respect, the UK Supervisory Authority (“ICO”) stated that the EDPB guidance still applied to the UK controllers and processors. As the FAQs reiterate that the Privacy Shield is no longer a valid way to transfer personal data outside of the European Economic Area, it is understood that the Privacy Shield is not a valid mechanism to transfer personal data from the UK to the U.S. until the end of the transition period.
Using the Privacy Shield to Transfer Personal Data from the UK After the Transition Period
The UK imposes certain restrictions which apply to international personal data transfers. Transfers outwards from the UK (England, Scotland, Wales, and Northern Ireland) are restricted if:
- The UK version of the GDPR applies to the processing of personal data being transferred;
- The UK GDPR does not apply to the importer of the data, usually because the importer is located outside of the UK; and
- A UK organization, as the sender of the personal data, and the recipient of the data are separate organizations (even if both are companies in the same group).
A personal data transfer from the UK to a U.S. organization qualifies as a restricted transfer. However, guidance on data protection at the end of the transition period issued by the ICO suggests that U.S. organizations participating in the Privacy Shield Framework may continue leveraging their certification to receive data from the UK after the transition period. In particular, there are three important takeaways from the ICO guidance that merit special consideration:
- The UK government will be modifying arrangements regarding the EU adequacy decision for the EU/U.S. Privacy Shield, as this is EU/U.S. specific;
- The UK government has indicated that it is making arrangements to ensure that the Privacy Shield continues to apply to restricted transfers between the UK to the U.S.; and
- In the event that the transition period lapses without these arrangements being finalized, UK organizations will be able to transfer personal data to organizations participating in the Privacy Shield as long as the U.S. organization continues with and updates its public commitment to comply with the Privacy Shield, and expressly states that it applies to transfers of personal data from the UK.
U.S. Department of Commerce Statement on Schrems II
As explained in a previous blog post, following the European Court of Justice ruling in the Schrems II case, the U.S. Department of Commerce (“DOC”) stated that it would continue to administer the Privacy Shield program and that the invalidation of the Privacy Shield for transfers from the EEA to the U.S. would not relieve participating organizations of their Privacy Shield obligations.
In light of the recent guidance from the ICO, Privacy Shield participants should reconsider withdrawing from their participation in the Framework. Maintaining their Privacy Shield certification may play a role in easing a transition to an enhanced Privacy Shield Framework which the DOC and the European Commission are formulating. We encourage you to contact VeraSafe should you have any questions about international data transfers or Privacy Shield obligations. Schedule a free consultation today with VeraSafe.