Privacy Initiatives: Blog
Why Brexit Matters to Your Privacy Shield Business
Note: this content is out-of-date. You can find our updated Brexit guidance here.
You may have heard that the United Kingdom is expected to exit the European Union soon in a process that many are calling “Brexit.” (For background, this article offers a no-frills Brexit explainer.) The Brexit process continues to be politically contentious, and, though the U.K. is scheduled to leave the EU on
March 29 April 12 October 31 January 31, 2020, it is not yet certain whether or not this will happen by that date, either partially or fully.
In preparation for the Brexit deadline, the U.S. Department of Commerce has updated its Privacy Shield FAQs with a dedicated page on Privacy Shield and the United Kingdom. This page brings some clarity to the question of how Brexit will affect U.S. businesses that are self-certified under Privacy Shield.
The takeaway? Privacy Shield participating businesses that transfer personal data from the U.K. to the U.S. should be prepared to update their public Privacy Shield disclosures at the time the United Kingdom legally separates from the European Union and no longer applies EU law.
How does this apply to you? If your business relies on Privacy Shield to transfer personal data from the U.K. to the U.S. then yes—at some point and perhaps as early as
Timing is everything. The deadline for updating Privacy Shield policy language depends on the outcome of ongoing Brexit negotiations.
- No Agreement: In the event of a “no deal” Brexit, in which the U.K. leaves the EU by automatic operation of law on
March 29 April 12 October 31January 31, 2020, businesses will need to have Privacy Shield policies in place that refer to the United Kingdom as a separate entity in order for Privacy Shield to cover data transfers from the U.K. The U.S. Department of Commerce explains more: After the Applicable Date, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.
- Separation Agreement before "No Deal" Deadline: If a deal is approved by the U.K. Parliament before
IF YOUR COMPANY IS CERTIFIED TO EU-U.S. AND SWISS-U.S. PRIVACY SHIELD
“Company X complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on Privacy Shield.”
IF YOUR COMPANY IS CERTIFIED TO EU-U.S. PRIVACY SHIELD ONLY
“Company X complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States in reliance on Privacy Shield.”
What about other data transfers after Brexit? For further analysis on likely scenarios for other common cross-border transfers of personal data after Brexit, check out the following resources. The likely application of the U.K.’s Data Protection Act to transfers of personal data to and from the U.K. is covered in this post from Hogan Lovells. Possible effects of Brexit on data transfers between the EU and the U.K. under GDPR are covered in this post from Latham & Watkins. If pictures are more your style, check out this helpful infographic from the IAPP: Brexit: Data Protection and Transfers Infographic.