BBB National Programs Blog

As of February 1, 2020, the United Kingdom is no longer part of the European Union. However, under the terms of the final withdrawal agreement, EU law will remain in effect for the UK through the end of the calendar year. No change to your existing Privacy Shield statement will be required until this transition period ends. As the U.S. Department of Commerce guidance states, “the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.”

Nevertheless, if your business relies on Privacy Shield to receive personal data from the UK, BBB EU Privacy Shieldrecommends that you go ahead and update your Privacy Shield notice in anticipation of the end of the transition period. Fit this into your regular schedule for privacy policy updates. Now that the UK’s withdrawal is official, there is no downside to including separate references to the UK in your Privacy Shield notice. This also has the advantage of future-proofing your notice as the legal environment continues to evolve.

In general, to update your privacy policy, you will simply add “and the United Kingdom” to each existing reference to the European Union (and/or Switzerland) within your Privacy Shield notice. Detailed instructions are included in the Department of Commerce’s updated Brexit guidance.  

If you prefer not to update your notice early, the final deadline for doing so is currently December 31, 2020.

Special considerations. Many businesses who transfer personal information from the UK to the U.S. will find that a full update to their privacy policy will require additional changes:

• If you provide a notice in your privacy policy about individual’s rights under GDPR, remember that after December 31, 2020, the GDPR will no longer apply to data subjects in the UK. Instead, the UK’s implementing legislation, the Data Protection Act (as updated post-Brexit) will provide these same rights. Privacy policies should be updated to reflect this, especially when referencing the right to lodge a complaint to the relevant data protection authority. Always make sure that it is easy for readers of your privacy policy to determine where to lodge a data protection complaint available to them.

   

• If you transfer human resources data under Privacy Shield, it will be good practice to update your statement about cooperating with the DPA Panel to include reference to cooperating with the UK Information Commissioner’s Office. That said, the Department of Commerce guidance makes clear that, after December 31st, the existing statement in your privacy notice referencing the DPA panel will be understood to also commit you to cooperating with the UK authority.

EU-UK data transfers. A related issue for many businesses to consider is the question of the future arrangement for personal data transfers between the EU and the UK. You can find reporting on this issue in this recent article from the New Statesman, “Brexit isn’t done: what’s next for data?” More detailed legal analyses are also available from DLA Piper, Kingsley Napley, and the UK Information Commissioner’s Office. As part of a statement released on February 3, 2020, the UK Prime Minister’s office reaffirmed its position that “the UK would see the EU’s assessment processes on … data adequacy as technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit.”

Further questions? Existing participants should free to reach out to us. If you don’t yet use BBB EU Privacy Shield as your IRM, join us today.