UK-U.S. Data Transfers: Post-Brexit Update for Privacy Shield Businesses

Feb 1, 2020 by BBB National Programs

As of February 1, 2020, the United Kingdom is no longer part of the European Union. However, under the terms of the final withdrawal agreement, EU law will remain in effect for the UK through the end of the calendar year. No change to your existing Privacy Shield statement will be required until this transition period ends. As the U.S. Department of Commerce guidance states, “the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.”

Nevertheless, if your business relies on Privacy Shield to receive personal data from the UK, BBB EU Privacy Shieldrecommends that you go ahead and update your Privacy Shield notice in anticipation of the end of the transition period. Fit this into your regular schedule for privacy policy updates. Now that the UK’s withdrawal is official, there is no downside to including separate references to the UK in your Privacy Shield notice. This also has the advantage of future-proofing your notice as the legal environment continues to evolve.

In general, to update your privacy policy, you will simply add “and the United Kingdom” to each existing reference to the European Union (and/or Switzerland) within your Privacy Shield notice. Detailed instructions are included in the Department of Commerce’s updated Brexit guidance.  

If you prefer not to update your notice early, the final deadline for doing so is currently December 31, 2020.

Special considerations. Many businesses who transfer personal information from the UK to the U.S. will find that a full update to their privacy policy will require additional changes:

  • If you provide a notice in your privacy policy about individual’s rights under GDPR, remember that after December 31, 2020, the GDPR will no longer apply to data subjects in the UK. Instead, the UK’s implementing legislation, the Data Protection Act (as updated post-Brexit) will provide these same rights. Privacy policies should be updated to reflect this, especially when referencing the right to lodge a complaint to the relevant data protection authority. Always make sure that it is easy for readers of your privacy policy to determine where to lodge a data protection complaint available to them.

     

  • If you transfer human resources data under Privacy Shield, it will be good practice to update your statement about cooperating with the DPA Panel to include reference to cooperating with the UK Information Commissioner’s Office. That said, the Department of Commerce guidance makes clear that, after December 31st, the existing statement in your privacy notice referencing the DPA panel will be understood to also commit you to cooperating with the UK authority.

EU-UK data transfers. A related issue for many businesses to consider is the question of the future arrangement for personal data transfers between the EU and the UK. You can find reporting on this issue in this recent article from the New Statesman, “Brexit isn’t done: what’s next for data?” More detailed legal analyses are also available from DLA PiperKingsley Napley, and the UK Information Commissioner’s Office. As part of a statement released on February 3, 2020, the UK Prime Minister’s office reaffirmed its position that “the UK would see the EU’s assessment processes on … data adequacy as technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit.”

Further questions? Existing participants should free to reach out to us. If you don’t yet use BBB EU Privacy Shield as your IRM, join us today.

Suggested Articles

Blog

American Privacy Rights Act: A Primer for Business

Was it the recent series of natural phenomena that prompted Congress to move on a bipartisan, bicameral federal privacy bill? We can’t say with certainty, but we can outline for you what we believe to be, at first glance, the most compelling elements of the American Privacy Rights Act of 2024 (APRA).
Read more
Blog

Take Care of Your “Health-Lite” Claims

Some advertisers believe they can avoid scrutiny when making health-related claims by making their claim “softer.” But context is key. Health benefit claims must comply with the FTC’s Health Products Compliance Guidance. The substantiation bar is not lowered by changing the approach to the health-related claim.
Read more
Blog

Bullish but Cautionary: A Balanced Way to Approach the Impact of AI

Business and nonprofit leaders in the U.S. may not feel so weighty a responsibility in assessing the global impact of AI, but we must realize AI’s power to impact our organizations, our local economies, our sectors, and our nation.
Read more
Blog

New Rules of the Road Can Sustain US Leadership on Interoperable Digital Data Flows

President Biden closed February 2024 with an EO that signaled an important development for how the U.S. plans to position and guard itself from global adversaries, and speaks volumes about how the U.S. views the next-generation impacts of data flows on the digital economy and how our nation can be better equipped as a global leader. Read our takeaways and future considerations.
Read more