How Brexit Will Affect the EU-U.S. Privacy Shield: New Guidance

With continuing uncertainty about whether and how the United Kingdom will manage its scheduled departure from the EU, many U.S. companies have been asking about the effect of Brexit on their participation in the EU-U.S. Privacy Shield. By participating in the Privacy Shield program, U.S. companies can certify that they maintain EU-level privacy protection and thus become eligible to receive lawful transfers of personal data from the EU. The question being asked now is: When the U.K. leaves the EU, will I still be able to rely on the Privacy Shield as a legal basis for importing data from the UK? In an effort to clarify this issue, the U.S. Department of Commerce (which handles the U.S. side of the Privacy Shield) has just issued some brief FAQs.

Following the 2016 Brexit referendum, the U.K. formally notified the EU of its intent to leave on March 29, 2019. However, with this deadline less than three months away, the U.K.’s Parliament has failed to pass legislation to implement Brexit in accordance with the departure deal that the U.K. government has negotiated with the EU. Consequently, there is still no certainty about whether, when, and on what terms Brexit will finally take place. All options remain on the table, ranging from the passage of implementing legislation to a “hard Brexit” (the U.K. simply leaves on March 29 without a specific deal) to a new referendum.

Against this uncertain background, the USDOC’s FAQs break down the possibilities into two “scenarios.” The first assumes that there will be a Transition Period from March 29, 2019 to Dec. 31, 2020, as tentatively agreed on by EU and U.K. negotiators. During the Transition Period, EU law will continue to apply in the U.K. and the Privacy Shield will continue to protect personal data transfers from the U.K. to the U.S. To continue to receive data from the U.K. after Dec. 31, 2020, U.S. companies must, before that date, update their public commitment to comply with the Privacy Shield. This means simply that companies must revise their privacy policy to state specifically that their privacy commitment extends to data received from the U.K. The Department of Commerce’s FAQs page provides a model paragraph for doing this. Companies must also keep their Privacy Shield certification current by recertifying annually.

The second scenario assumes that there is no Transition Period – that the U.K. simply leaves the EU on March 29, 2019, without any finalized agreement. In that case, U.S. companies can rely on the Privacy Shield to import data from the U.K. only if they have updated their commitment as described above by March 29, 2019. They must also keep their certification current.

Putting these requirements together, U.S. companies that want to keep importing personal data from the U.K. under the Privacy Shield should: (1) Monitor the evolving status of Brexit closely. (2) If there is a final deal before March 29, 2019, that creates a Transition Period, then you will have until the end of 2020 to take the simple steps described above. (3) If by early March it appears there will be no deal and thus no Transition Period, immediately update your commitment and make sure that your Privacy Shield certification is up to date. We at Robinson Bradshaw work regularly with the Privacy Shield and other international privacy issues and are ready to assist with any questions you may have.