UK-U.S. Data Transfers: Post-Brexit Update for Privacy Shield Businesses

Feb 1, 2020, 09:00 AM by BBB National Programs

As of February 1, 2020, the United Kingdom is no longer part of the European Union. However, under the terms of the final withdrawal agreement, EU law will remain in effect for the UK through the end of the calendar year. No change to your existing Privacy Shield statement will be required until this transition period ends. As the U.S. Department of Commerce guidance states, “the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.”

Nevertheless, if your business relies on Privacy Shield to receive personal data from the UK, BBB EU Privacy Shieldrecommends that you go ahead and update your Privacy Shield notice in anticipation of the end of the transition period. Fit this into your regular schedule for privacy policy updates. Now that the UK’s withdrawal is official, there is no downside to including separate references to the UK in your Privacy Shield notice. This also has the advantage of future-proofing your notice as the legal environment continues to evolve.

In general, to update your privacy policy, you will simply add “and the United Kingdom” to each existing reference to the European Union (and/or Switzerland) within your Privacy Shield notice. Detailed instructions are included in the Department of Commerce’s updated Brexit guidance.  

If you prefer not to update your notice early, the final deadline for doing so is currently December 31, 2020.

Special considerations. Many businesses who transfer personal information from the UK to the U.S. will find that a full update to their privacy policy will require additional changes:

  • If you provide a notice in your privacy policy about individual’s rights under GDPR, remember that after December 31, 2020, the GDPR will no longer apply to data subjects in the UK. Instead, the UK’s implementing legislation, the Data Protection Act (as updated post-Brexit) will provide these same rights. Privacy policies should be updated to reflect this, especially when referencing the right to lodge a complaint to the relevant data protection authority. Always make sure that it is easy for readers of your privacy policy to determine where to lodge a data protection complaint available to them.

  • If you transfer human resources data under Privacy Shield, it will be good practice to update your statement about cooperating with the DPA Panel to include reference to cooperating with the UK Information Commissioner’s Office. That said, the Department of Commerce guidance makes clear that, after December 31st, the existing statement in your privacy notice referencing the DPA panel will be understood to also commit you to cooperating with the UK authority.

EU-UK data transfers. A related issue for many businesses to consider is the question of the future arrangement for personal data transfers between the EU and the UK. You can find reporting on this issue in this recent article from the New Statesman, “Brexit isn’t done: what’s next for data?” More detailed legal analyses are also available from DLA PiperKingsley Napley, and the UK Information Commissioner’s Office. As part of a statement released on February 3, 2020, the UK Prime Minister’s office reaffirmed its position that “the UK would see the EU’s assessment processes on … data adequacy as technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit.”

Further questions? Existing participants should free to reach out to us. If you don’t yet use BBB EU Privacy Shield as your IRM, join us today.

Other Blog Articles


Harmful Stereotyping in Advertising Must Not Be a “Forever Problem”

Though the annual celebration of Black History Month is drawing to a close, the plethora of issues raised by the study of Black history must always remain top of mind. For those of us who work in truth in advertising at BBB National Programs’ National Advertising Division (NAD), we are paying very close attention to the issues of diversity and stereotyping, as presented in various forms of advertising. Developing a mechanism to addressing representation in advertisements would not be simple, but the time is now to start the conversation. Harmful stereotypes in advertising must not be a forever problem.
Read more

5 Tips for Truthful and Transparent Influencer Marketing and Product Reviews

BBB National Programs’ National Advertising Division is dedicated to truth-in-advertising. To help you ensure that influencer marketing and the use of product reviews in your advertising is both transparent and truthful, we offer the following five tips.
Read more

In 2021, Consumer And Stakeholder Privacy Is About Defining Trust

As business and nonprofit leaders navigate the Fourth Industrial Revolution, consumer and stakeholder privacy has become a matter of defining trust. As new digital services and connected devices fueled by personal data flourish, consumers’ reasonable expectation of privacy shifts. If expectations do not match reality, it can lead to gaps in trust and new paths for litigation and regulatory enforcement. In this piece I outline a few 2021 privacy developments business and nonprofit leaders should note.
Read more

Broadening the Definition of Express and Implicit Representation in Children’s Advertising

One way to gauge exactly how far we have come in implementing diversity and inclusion is by analyzing what we see on our screens, particularly in advertising. The Children’s Advertising Review Unit (CARU) recognizes the special vulnerabilities of children with their limited knowledge, experience, sophistication, and maturity and often places itself in children’s shoes to gain insight when assessing the role advertisement has in shaping their perception.
Read more