With the deadline for a no-deal Brexit looming—the UK’s exit date from the European Union is now slated for April 12—companies certified to the EU-U.S. Privacy Shield should update their Privacy Shield privacy policies if they have not done so already to ensure that they are able to lawfully receive personal data from the UK post-Brexit.
The UK Information Commissioner’s Office (ICO) clarified this past December that existing EU adequacy decisions, including the Privacy Shield framework, would remain lawful mechanisms to export personal data outside of the UK. Since then, the U.S. Department of Commerce (DOC) has published Privacy Shield and the UK FAQs, which clarify that organizations certified to Privacy Shield will not only need to maintain their current Privacy Shield certification (including annual recertification) but also add to their public Privacy Shield commitment a separate reference to treat UK-based data transfers as subject to their Privacy Shield certification.
DOC has suggested that Privacy Shield organizations reference UK data transfers in their privacy policies similarly to the following model language:
Our blog has been tracking Brexit’s uncertain timeline and its implications for privacy compliance. UK privacy regulators have issued guidance accounting for two eventualities that also are reflected in the DOC’s Privacy Shield FAQs: (1) “No-deal” or “hard” Brexit, after which there would be no transition period for shifting to UK rules, or (2) “soft” Brexit that would permit a year-long transition period during which EU rules would still apply. Because it is still unclear whether the UK and EU will finalize their withdrawal agreement implementing the transition period, Privacy Shield certified organizations should plan for a “hard” Brexit that would require updated privacy policies by April 12, 2019 or May 22, 2019 (depending on which “hard” Brexit date is used). In case of a “soft” Brexit according to the current draft withdrawal agreement, Privacy Shield organizations would have until December 31, 2020 to comply with the new requirement.
Organizations certified to Privacy Shield also should understand DOC’s view that if they previously selected the EU Data Protection Authority Panel as their external dispute resolution method (or if they use Privacy Shield to transfer human resources data, in which case the EU Data Protection Authority Panel applies by default), they will be required to “cooperate and comply” with the ICO in the event of a complaint by a UK resident. If selected, EU Data Protection Authority Panel has authority to issue binding “advice” to Privacy Shield organizations in response to disputes raised by data subjects, at which point the organization must comply within 25 days.