There has been welcome clarification on the scope of the EU-U.S. Privacy Shield on UK data following the UK's expected departure from the EU. Guidance from the U.S. Department of Commerce, which administers the Privacy Shield, confirms that businesses currently relying on Privacy Shield to receive personal data from the UK will still be able to do so, provided they continue to meet the annual certification requirements and update their relevant policies, as outlined in more detail below.
'Deal or No-Deal'
In the event of a Brexit deal, the UK and EU have preliminarily agreed to a transition period from the date of the UK leaving the EU until the agreed end date (currently, 31 December 2020) (“Transition Period”). During this Transition Period, the UK would still be within the remit of EU law and therefore EU data protection law would continue to apply to the UK. During the Transition Period, there would be no action required from certified participants to continue to receive personal data from the UK in reliance on Privacy Shield.
A further extension to the period for negotiating the Article 50 Withdrawal Agreement has been agreed until 31 October 2019, and in the interim the government hopes to return with a reformed Brexit deal.
However, if the UK and EU fail to agree to a deal or a further extension and there is no Transition Period, contingency plans would need to be put in place for UK-US personal data transfers.
Continuing requirements and updates
Once the Transition Period is over, or in the event that there is no Transition Period at all, any business wishing to rely on the Privacy Shield must do the following:
- As ever, maintain the requirements for Privacy Shield certification, including recertifying annually; and
In relation to the second requirement, the U.S. Department of Commerce has included template wording in its Privacy Shield and the UK FAQs for both required updates.
Any organisation that follows this guidance will be able to continue to receive data from the UK in reliance on Privacy Shield as before. An organisation that has signed up to Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework, will be taken to have committed to cooperate and comply with the UK Information Commissioner's Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.
Whilst an extension has been granted to the period for agreeing the Withdrawal Agreement, there remains uncertainty as to whether or when the EU and UK might reach an accord.
The current guidance is that, 'deal' or 'no-deal', it will be possible for Privacy Shield-certified businesses to continue to rely on Privacy Shield to receive personal data from the UK.
However, be aware that, following any Transition Period, or in the event that there is no Transition Period, an organisation that does not modify its commitment to make the updates referred to above will not be able to rely on the Privacy Shield Framework to receive personal data from the UK. Therefore, businesses that are likely to be impacted by this would be well advised to keep a close eye on developments in this area, and possibly even update their relevant policies now so that they are prepared for every eventuality.
Businesses should also be aware that EU standard contractual clauses may be another option for businesses to compliantly export personal data from the UK post-Brexit. Please see the guidance provided by the ICO here plus their more detailed guidance here.
For more information about preparing for Brexit and/or compliance with GDPR generally, please get in touch with one of the CMS Cameron McKenna Nabarro Olswang contacts listed on this page.