Can a Privacy Shield participant rely on the EU-U.S. Privacy Shield Framework to receive personal data from the United Kingdom in light of the UK’s planned withdrawal from the EU?

UPDATED March 29, 2019

The European Council and the United Kingdom (UK) have agreed to extend the period for withdrawal of the UK from the European Union (EU) beyond March 29, 2019. During the extension period, the UK will remain a Member State of the EU; as a Member State, EU law will remain applicable to and in the UK. The length of the extension period has not yet been determined.  We will update this guidance when more information becomes available. 

In order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework (“Privacy Shield” or “the Framework”), Privacy Shield participants must update their Privacy Shield commitments by the Applicable Date, as explained below, depending on how the UK and the EU implement the withdrawal.

Scenario (1) “Transition  Period”: The UK and EU have preliminarily agreed that from the date the UK leaves the EU until December 31, 2020, a Transition Period will take place during which EU law, including EU data protection law, will continue to apply to and in the UK. During the Transition Period, the European Commission’s decision on the adequacy of the protection provided by Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants.  During the Transition Period, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required. 

Privacy Shield participants seeking to receive personal data from the UK in reliance on the Privacy Shield after the end of the Transition Period must take the steps below by the Applicable Date of December 31, 2020. The Department of Commerce encourages Privacy Shield participants to use the Transition Period as an opportunity to update their privacy policies.

Scenario (2) “No Transition Period”: In the event that the UK and the EU do not finalize an agreement on the Transition Period, Privacy Shield participants receiving personal data from the UK in reliance on the Privacy Shield must take the steps below by the Applicable Date of April 12, 2019 or May 22, 2019, as the case may be, dependent on the date of the UK’s withdrawal from the European Union. 

Updates by the Applicable Date:
 
To receive personal data from the UK in reliance on Privacy Shield in the case of no Transition Period, or after the Transition Period, a Privacy Shield participant will be required to adhere to the following: 
 
1.    First, a Privacy Shield organization must update its public commitment to comply with the Privacy Shield to include the UK.  Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield.  If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy.  Model language for these updates is provided below:

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
 
2.    Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.

An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after the Applicable Date..

After the Applicable Date, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.