Privacy Shield and the UK FAQs
Can a Privacy Shield participant rely on the EU-U.S. Privacy Shield Framework to receive personal data from the United Kingdom in light of the UK’s planned withdrawal from the EU?
The European Council and the United Kingdom (UK) have agreed to extend the period for withdrawal of the UK from the European Union (EU) beyond March 29, 2019. During the extension period, the UK will remain a Member State of the EU; as a Member State, EU law will remain applicable to and in the UK. The length of the extension period has not yet been determined.
In order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework (“Privacy Shield” or “the Framework”), Privacy Shield participants must update their Privacy Shield commitments by the Applicable Date, as explained below, depending on how the UK and the EU implement the withdrawal.
Scenario (1) “Transition Period”: The UK and EU have preliminarily agreed that from the date the UK leaves the EU until December 31, 2020, a Transition Period will take place during which EU law, including EU data protection law, will continue to apply to and in the UK. During the Transition Period, the European Commission’s decision on the adequacy of the protection provided by Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants. During the Transition Period, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.
Privacy Shield participants seeking to receive personal data from the UK in reliance on the Privacy Shield after the end of the Transition Period must take the steps below by the Applicable Date of December 31, 2020. The Department of Commerce encourages Privacy Shield participants to use the Transition Period as an opportunity to update their privacy policies.
Scenario (2) “No Transition Period”: In the event that the UK and the EU do not finalize an agreement on the Transition Period, Privacy Shield participants receiving personal data from the UK in reliance on the Privacy Shield must take the steps below by the Applicable Date of April 12, 2019 or May 22, 2019, as the case may be, dependent on the date of the UK’s withdrawal from the European Union.
Updates by the Applicable Date:
To receive personal data from the UK in reliance on Privacy Shield in the case of no Transition Period, or after the Transition Period, a Privacy Shield participant will be required to adhere to the following:
- Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework. An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after the Applicable Date. After the Applicable Date, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.