Pre-Brexit Steps For US Privacy Shield Participants

In anticipation of Brexit the US Department of Commerce (“DOC”) has published steps it expects to be taken by businesses that rely on Privacy Shield to transfer personal data from the UK to the US.

Background – EU-U.S. Personal Data Transfers

The EU General Data Protection Regulation (the “EU GDPR”) restricts transfers of personal data from the EU to non-EU countries, as well as onward transfers of such personal data. Such transfers are only permitted if either:

• the European Commission has determined that the destination country offers an adequate level of protection in respect of personal data (an "adequacy decision");
• specified "adequate safeguards" are in place (such as European Commission-approved "standard contractual clauses" between the data exporter and data importer); or
• one of a limited number of exceptions applies.

Whilst the European Commission has not made an adequacy decision in respect of the U.S. in general, it has made an adequacy decision in respect of Privacy Shield – a voluntary framework administered by the DOC that legitimizes EU-U.S. transfers.

As the UK is currently an EU member state, the EU GDPR applies directly in the UK (for the time being) and transfers of personal data from the UK to non-EU member states are subject to the same rules as transfers from any other EU member state. Transfers from the UK to the U.S. within the Privacy Shield framework are currently permitted.

UK Taking Back Control of Adequacy Decisions

For as long as EU law, including the EU GDPR, applies in the UK, organizations transferring personal data from the UK to outside the EU will be able to rely on European Commission adequacy decisions.

Once EU law ceases to apply to the UK, the EU GDPR will no longer apply to the UK directly. However, the UK’s European Union (Withdrawal) Act 2018 will incorporate into UK law obligations that are equivalent to those under the EU GDPR. The UK’s equivalent of the EU GDPR is (inventively) referred to as the "UK GDPR".

In December 2018, the UK Government published a draft piece of legislation setting out how the UK GDPR will differ from the EU GDPR. Under the UK GDPR, adequacy decisions in respect of transfers of personal data out of the UK are required to be issued by the UK Government (rather than the European Commission). The European Commission’s adequacy decision in respect of Privacy Shield will therefore no longer apply to transfers of personal data from the UK once the UK is outside the remit of EU law.

Recommended Steps

According to the UK data protection regulator, the UK Government intends that Privacy Shield will continue (in an adapted form) as a valid framework for UK-U.S. personal data transfers post-Brexit. The DOC (which administers Privacy Shield) has published simple, practical steps for organizations to extend their current Privacy Shield measures to include post-Brexit UK-U.S. transfers.

• An organization should update its public commitment to comply with Privacy Shield such that it states expressly that the commitment extends to personal data received from the UK in reliance on Privacy Shield.
• An organization should update its Human Resources Privacy Policy to refer to transfers from the UK (if it plans to receive Human Resources data from the UK in reliance on Privacy Shield).

The DOC’s guidance also reminds organizations of their obligations to continue to recertify with Privacy Shield annually.

These changes should be implemented by the time EU law (including the EU GDPR) ceases to apply to the UK. There is currently little certainty as to when this will be (or, for that matter, if it will ever actually happen); but it will be no earlier than March 29, 2019. In a “no deal” scenario, EU law will cease to apply to the UK immediately on the UK leaving the EU (at the time of writing, scheduled for March 29, 2019 although this may be extended) and the Privacy Shield updates should be made before then. If there is a withdrawal agreement between the EU and the UK, there is likely to be a transition period during which EU law continues to apply to the UK after the UK has formally left, in which case Privacy Shield members will have more time to make the changes to their documents (depending on the terms of the withdrawal agreement and, in particular, the length of any transition period).

As the updates to the documentation are likely to be quite straightforward (indeed, the DOC provides specimen language here), updating the relevant documents is a simple, but important, step in Privacy Shield participants’ Brexit preparations.