On midnight January 31, 2020, the United Kingdom’s law formally governing its exit from the European Union went into effect. From a data protection perspective, however, Brexit has not resulted in any changes in law. In fact, The EU Withdrawal Agreement implements a transition period to resolve post Brexit concerns and other formalities through December 31, 2020. During that time period, most EU law (including GDPR) will continue to apply, and, presumably, the UK will establish its own international data transfer regime in cooperation with appropriate EU data protection regulators.
In light of Brexit, the US Department of Commerce has issued guidance advising EU-U.S. Privacy Shield participants on the steps necessary to remain in compliance with the Privacy Shield Framework both during and after the Transition Period.
During the Transition Period
During the transition period, the European Commission’s decision regarding the Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants. For businesses operating in the United States, current commitments to comply with the EU-US Privacy Shield framework will be considered applicable to the UK as well without a need for any additional action.
After the Transition Period
Once the transition period formally ends on December 31, 2020, however, additional requirements will take effect. By then, Privacy Shield participants who wish to continue receiving personal data from the UK must update their public commitment to specifically state their commitment extends to personal data received from the UK. If the organization receives Human Resources data, it must also update its HR privacy policy. Additionally, organizations that publically commit to compliance with the Privacy Shield Framework for data received from the UK will be required to recertify annually.
Further Information
We can expect to see additional guidance as Brexit developments for international transfers of personal data continue to unfold. In fact, the EU has already set up a Task Force, and committed to beginning the EU’s adequacy assessment of the UK “as soon as possible,” with the UK committing to reciprocate in terms of its own assessment of EU adequacy.
To learn more about the Privacy Shield Framework generally, visit https://www.privacyshield.gov/. Model language for an updated public commitment to comply with the Privacy Shield, including the UK, may be found at Privacy Shield and the UK FAQs.
If you have any questions about this enforcement action or any other privacy law, please do not hesitate to reach out to authors Brian Hengesbaugh and Harry Valetk .
