UK-U.S. Data Transfers: Post-Brexit Update for Privacy Shield Businesses

Feb 1, 2020 by BBB National Programs

As of February 1, 2020, the United Kingdom is no longer part of the European Union. However, under the terms of the final withdrawal agreement, EU law will remain in effect for the UK through the end of the calendar year. No change to your existing Privacy Shield statement will be required until this transition period ends. As the U.S. Department of Commerce guidance states, “the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.”

Nevertheless, if your business relies on Privacy Shield to receive personal data from the UK, BBB EU Privacy Shieldrecommends that you go ahead and update your Privacy Shield notice in anticipation of the end of the transition period. Fit this into your regular schedule for privacy policy updates. Now that the UK’s withdrawal is official, there is no downside to including separate references to the UK in your Privacy Shield notice. This also has the advantage of future-proofing your notice as the legal environment continues to evolve.

In general, to update your privacy policy, you will simply add “and the United Kingdom” to each existing reference to the European Union (and/or Switzerland) within your Privacy Shield notice. Detailed instructions are included in the Department of Commerce’s updated Brexit guidance.  

If you prefer not to update your notice early, the final deadline for doing so is currently December 31, 2020.

Special considerations. Many businesses who transfer personal information from the UK to the U.S. will find that a full update to their privacy policy will require additional changes:

  • If you provide a notice in your privacy policy about individual’s rights under GDPR, remember that after December 31, 2020, the GDPR will no longer apply to data subjects in the UK. Instead, the UK’s implementing legislation, the Data Protection Act (as updated post-Brexit) will provide these same rights. Privacy policies should be updated to reflect this, especially when referencing the right to lodge a complaint to the relevant data protection authority. Always make sure that it is easy for readers of your privacy policy to determine where to lodge a data protection complaint available to them.


  • If you transfer human resources data under Privacy Shield, it will be good practice to update your statement about cooperating with the DPA Panel to include reference to cooperating with the UK Information Commissioner’s Office. That said, the Department of Commerce guidance makes clear that, after December 31st, the existing statement in your privacy notice referencing the DPA panel will be understood to also commit you to cooperating with the UK authority.

EU-UK data transfers. A related issue for many businesses to consider is the question of the future arrangement for personal data transfers between the EU and the UK. You can find reporting on this issue in this recent article from the New Statesman, “Brexit isn’t done: what’s next for data?” More detailed legal analyses are also available from DLA PiperKingsley Napley, and the UK Information Commissioner’s Office. As part of a statement released on February 3, 2020, the UK Prime Minister’s office reaffirmed its position that “the UK would see the EU’s assessment processes on … data adequacy as technical and confirmatory of the reality that the UK will be operating exactly the same regulatory frameworks as the EU at the point of exit.”

Further questions? Existing participants should free to reach out to us. If you don’t yet use BBB EU Privacy Shield as your IRM, join us today.

Suggested Articles


Are used cars covered under lemon laws?

Do your homework to make sure the used car you plan to buy is not a lemon, and if it is, does the lemon law cover it? The answer may depend on where you purchased the vehicle or where you live.
Read more

Case Study: Getting to Compliance with CARU and COPPA

In a recent case, CARU worked with TickTalk to help them achieve compliance with CARU’s Privacy Guidelines and the Children’s Online Privacy Protection Act (COPPA). CARU sat down with TickTalk once the case had closed to discuss their experience as well as some of the privacy challenges many companies face in the children’s space.
Read more

What to Know About the Georgia Lemon Law

BBB AUTO LINE provides an overview of each state’s lemon laws. In our ongoing blog series, we offer further insights on the laws for select states, and how BBB AUTO LINE can support consumers with lemon law disputes. Florida, California, and Texas have been covered. This post reviews the nuances of the lemon law in the Peachtree State – Georgia.
Read more

The TAPP Roadmap: Helping U.S. Companies Responsibly Collect and Manage Teenager Data

The TeenAge Privacy Program (TAPP) Roadmap was designed to assist any business that wishes to engage proactively with teen consumers, providing an operational framework to map the broad spectrum of potential harms impacting teens onto a concrete set of operational considerations.
Read more