Deal or No Deal: Privacy Shield & Post-Brexit UK

Even with an extension on the expected exit date of the United Kingdom from the European Union, speculation abounds about the final outcome. General dissatisfaction with Theresa May’s Brexit Deal and continued lack of agreement within the UK Parliament about an alternative is making the reality of a “No Deal” Brexit more likely by the day. This has left the business community on both sides of the Atlantic uncertain about the regulatory landscape in the UK if and when Brexit occurs, including the treatment of international personal data transfers from the UK to other countries (such as the United States) and from the EU/EEA to the UK. This article focuses on the future of international transfers of data from the UK to the United States in reliance on the importing company’s Privacy Shield certification.

The International Trade Administration (U.S. Department of Commerce) has provided guidance to Privacy Shield participants explaining what steps need to be taken to continue to rely on the EU-U.S. Privacy Shield Framework for receiving personal data from the UK, post-Brexit, under what seem like the two most likely scenarios:

  1. A deal is finalized, and EU data protection law will continue to apply in the UK during a previously negotiated “Transition Period” – from the date Brexit occurs until December 31, 2020. For all practical purposes this means the Privacy Shield will continue to apply as is, including for personal data received from the UK. Under this scenario, no immediate additional action on the part of a participant is required, although the transition period should be used to make the necessary updates to applicable privacy policies, as described in (2)(a), below.
  2. No transition period is agreed upon (the case under “no-deal Brexit”), and Privacy Shield participants receiving personal data from the UK in reliance on the Privacy Shield must take the following steps whenever Brexit occurs:
    1. A participant must expand its public commitment to comply with the Privacy Shield to include personal data received from the UK. Public commitments must specifically state that the commitment extends to personal data received from the UK in reliance on the Privacy Shield. An organization must also update its human resources (HR) privacy policy if it plans to receive HR data from the UK in reliance on Privacy Shield. Model language for all the above is provided by the Department of Commerce on their website.
    2. Participants must keep their Privacy Shield certification current, recertifying annually as required by the Framework. An organization that does not update its commitment will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom either (1) after the Brexit date if there is no Transition Period or (2) after December 31, 2020, if a deal is reached that includes the Transition Period.

No matter what transpires in the coming weeks and beyond, Privacy Shield participants are well-advised to prepare for any scenario. To learn more about the EU-U.S. Privacy Shield Framework and how your organization can prepare for Brexit, contact one of VeraSafe’s privacy experts today for a free consultation.

Contact VeraSafe to discuss your data security management and privacy program today.