Why Brexit Matters to Your Privacy Shield Business

May 20, 2020, 09:00 AM by BBB National Programs

Note: this content is out-of-date.

 

You may have heard that the United Kingdom is expected to exit the European Union soon in a process that many are calling “Brexit.” (For background, this article offers a no-frills Brexit explainer.) The Brexit process continues to be politically contentious, and, though the U.K. is scheduled to leave the EU on March 29 April 12 October 31 January 31, 2020, it is not yet certain whether or not this will happen by that date, either partially or fully.

In preparation for the Brexit deadline, the U.S. Department of Commerce has updated its Privacy Shield FAQs with a dedicated page on Privacy Shield and the United Kingdom. This page brings some clarity to the question of how Brexit will affect U.S. businesses that are self-certified under Privacy Shield.

The takeaway? Privacy Shield participating businesses that transfer personal data from the U.K. to the U.S. should be prepared to update their public Privacy Shield disclosures at the time the United Kingdom legally separates from the European Union and no longer applies EU law.

How does this apply to you? If your business relies on Privacy Shield to transfer personal data from the U.K. to the U.S. then yes—at some point and perhaps as early as March 29th April 12 October 31 January 31st—you will need to update the language of your public Privacy Shield-compliant privacy policy. If your Privacy Shield data includes only data from other EU countries (not from the U.K.) then your Privacy Shield disclosure need only refer to the EU (and, of course, Switzerland, if applicable).

Timing is everything. The deadline for updating Privacy Shield policy language depends on the outcome of ongoing Brexit negotiations.

  1. No Agreement:  In the event of a “no deal” Brexit, in which the U.K. leaves the EU by automatic operation of law on March 29 April 12 October 31 January 31, 2020, businesses will need to have Privacy Shield policies in place that refer to the United Kingdom as a separate entity in order for Privacy Shield to cover data transfers from the U.K. The U.S. Department of Commerce explains more:  After the Applicable Date, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO)with regard to personal data received from the UK in reliance on Privacy Shield.
  2. Separation Agreement before "No Deal" Deadline:  If a deal is approved by the U.K. Parliament before March 29April 12 October 31 January 31, the “Applicable Date” of the U.K.’s legal separation will likely be much later. One current draft agreement provides for a transition period that lasts until December 31, 2020. If this agreement were adopted, EU-US Privacy Shield would remain a valid transfer mechanism for the U.K. until that time, and no additional privacy policy references to the U.K. would be required until the end of the transition.

Should I update my privacy policy language now? The Department of Commerce has made it clear that it will not penalize a business for adding “and the United Kingdom” to its privacy notice before Brexit has occurred. BBB EU Privacy Shield will follow the Department’s guidance in this regard. Until the U.K. is a legally separate entity for purposes of data protection law, privacy policy disclosures that refer only to the EU will continue to be compliant. We will notify all our participants and update this blog post when there is further certainty about the final deadline for updating Privacy Shield disclosures. In the meantime, participating businesses are welcome to add references to the U.K. in accordance with Department of Commerce suggested language without requesting pre-approval from our program.

Suggested language. The Department of Commerce page includes suggested language updates for your posted privacy policy. Essentially, these come down to adding the words “United Kingdom” in the section of your policy that describes the data covered by your Privacy Shield self-certification. For example:

IF YOUR COMPANY IS CERTIFIED TO EU-U.S. AND SWISS-U.S. PRIVACY SHIELD

Company X complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States in reliance on Privacy Shield.”

IF YOUR COMPANY IS CERTIFIED TO EU-U.S. PRIVACY SHIELD ONLY

Company X complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom to the United States in reliance on Privacy Shield.”

What about other data transfers after Brexit? For further analysis on likely  scenarios for other common cross-border transfers of personal data after Brexit, check out the following resources. The likely application of the U.K.’s Data Protection Act to transfers of personal data to and from the U.K. is covered in this post from Hogan Lovells. Possible effects of Brexit on data transfers between the EU and the U.K. under GDPR are covered in this post from Latham & Watkins. If pictures are more your style, check out this helpful infographic from the IAPP: Brexit: Data Protection and Transfers Infographic.

Suggested Articles

Blog

Avoid Misleading Messages When Advertising Medical Devices

Advertisers of medical devices face complex tasks when marketing their products. In addition to complying with FDA regulations, medical device advertising is subject to the same truth-in-advertising principles set by the FTC. In addition to express claims, marketers are responsible for all the messages reasonably conveyed to consumers in their advertising and should ask some important questions to ensure consumers are not misled. Ask yourself these questions when advertising medical devices to avoid conveying misleading messages.
Read more
Blog

The Do’s and Don’ts of Buying Smart for Baby: A Primer from Privacy Experts

Researching a new product and finding the critical or in-depth information you are looking for to build confidence in your purchasing decision often requires sifting through superficial lists of “best products.” These lists are often sponsored by the products they feature, which means instead of a focus on being helpful they are full of incentivized endorsements and affiliate links. In this blog, we provide a list – not a sponsored list – of some do’s and don’ts for how to confidently research smart devices.
Read more
Blog

When Web Designs Turn Into Dark Patterns And What To Do About It

Recently I wrote about the proliferation of dark patterns and tried to give readers a sense of just how widespread these practices are. But it is not just the pervasiveness of dark patterns that has lawmakers and regulators concerned, it is the intent behind them and their impact on consumers. Nonprofit leaders, in particular, should be aware of this and how to guard against it given that they are well-positioned to garner and enhance consumer trust.
Read more
Blog

Politics Aside, Advertising Gains Guidance on Deception and Substantiation in the 1980s

As we continue to celebrate the 50th anniversary of the National Advertising Division (NAD) we are looking forward while taking stock of past decades, with a special focus on decisions and developments that continue to impact advertising law and NAD cases today. This month we highlight two pivotal moments from the 1980’s that helped shape NAD’s jurisprudence.
Read more