UK-U.S. Data Transfers: Post-Brexit Update for Privacy Shield Businesses

Feb 1, 2020, 09:00 AM by BBB National Programs

As of February 1, 2020, the United Kingdom is no longer part of the European Union. However, under the terms of the final withdrawal agreement, EU law will remain in effect for the UK through the end of the calendar year. No change to your existing Privacy Shield statement will be required until this transition period ends. As the U.S. Department of Commerce guidance states, “the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.”

Nevertheless, if your business relies on Privacy Shield to receive personal data from the UK, BBB EU Privacy Shieldrecommends that you go ahead and update your Privacy Shield notice in anticipation of the end of the transition period. Fit this into your regular schedule for privacy policy updates. Now that the UK’s withdrawal is official, there is no downside to including separate references to the UK in your Privacy Shield notice. This also has the advantage of future-proofing your notice as the legal environment continues to evolve.

In general, to update your privacy policy, you will simply add “and the United Kingdom” to each existing reference to the European Union (and/or Switzerland) within your Privacy Shield notice. Detailed instructions are included in the Department of Commerce’s updated Brexit guidance.  

If you prefer not to update your notice early, the final deadline for doing so is currently December 31, 2020.

Special considerations. Many businesses who transfer personal information from the UK to the U.S. will find that a full update to their privacy policy will require additional changes:

  • If you provide a notice in your privacy policy about individual’s rights under GDPR, remember that after December 31, 2020, the GDPR will no longer apply to data subjects in the UK. Instead, the UK’s implementing legislation, the Data Protection Act (as updated post-Brexit) will provide these same rights. Privacy policies should be updated to reflect this, especially when referencing the right to lodge a complaint to the relevant data protection authority. Always make sure that it is easy for readers of your privacy policy to determine where to lodge a data protection complaint available to them.

  • If you transfer human resources data under Privacy Shield, it will be good practice to update your statement about cooperating with the DPA Panel to include reference to cooperating with the UK Information Commissioner’s Office. That said, the Department of Commerce guidance makes clear that, after December 31st, the existing statement in your privacy notice referencing the DPA panel will be understood to also commit you to cooperating with the UK authority.

EU-UK data transfers. A related issue for many businesses to consider is the question of the future arrangement for personal data transfers between the EU and the UK. You can find reporting on this issue in this recent article from the New Statesman, “Brexit isn’t done: what’s next for data?” More detailed legal analyses are also available from DLA PiperKingsley Napley, and the UK Information Commissioner’s Office. As part of a statement released on February 3, 2020, the UK Prime Minister’s office reaffirmed its position that “the UK would see the EU’s assessment processes on … data adequacy as technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit.”

Further questions? Existing participants should free to reach out to us. If you don’t yet use BBB EU Privacy Shield as your IRM, join us today.

Suggested Articles


The 2000s Introduced the Internet and Influencers to Ad Law

The 2000s was a decade of change as online advertising exploded and, as a harbinger of things to come, the online environment became fertile ground for innovative ways to both communicate with consumers or, for the unscrupulous, take advantage of unwary consumers. The low barriers to entry allowed disrupters to enter the digital space and forced traditional marketers to compete in this space or be left behind.
Read more

For Developers: Get to Know the CARU Advertising Guidelines

The CARU Advertising Guidelines are widely recognized industry standards that help ensure advertising directed to children is fair and appropriate for its intended audience across any form of child-directed media. The CARU team outlines some key revisions to the Guidelines to which mobile developers should pay heed.
Read more

Getting Certified: Cisco Demonstrates Dedication to Customer Success through APEC Privacy Compliance

Cisco is an example of how a global company must navigate a variety of legal privacy regimes, while also being dedicated to leading the way on data privacy to maintain and further enhance a trusted relationship with its customers. To thread this needle, Cisco has chosen to rely on a third-party privacy certification offered by our team at BBB National Programs.
Read more

Lemon Law 101: Understanding the Law and Your Rights

If your vehicle is under warranty, lemon laws require your vehicle manufacturer to repair your vehicle. The federal lemon law, known as the Magnusson-Moss Warranty Act (“Mag-Moss”), and state lemon laws are in place to protect consumers from getting stuck with “lemons.” It is important to understand the difference between state and federal lemon laws as well as how you and your vehicle are covered under each.
Read more