Can a Privacy Shield participant rely on the EU-U.S. Privacy Shield Framework to receive personal data from the United Kingdom in light of the UK’s withdrawal from the EU?

UPDATED January 31, 2020

Under the Withdrawal Agreement, EU law (including EU data protection law) will continue to apply to and in the UK during the Transition Period from January 31, 2020, until December 31, 2020. 

During the Transition Period, the European Commission’s decision on the adequacy of the protection provided by Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants. In addition, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required. 

After the Transition Period, Privacy Shield participants still seeking to receive personal data from the UK in reliance on the Privacy Shield must have taken the following steps by December 31, 2020:

1. First, a Privacy Shield organization must update its public commitment to comply with the Privacy Shield to include the UK. 
Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield. If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy. Model language for these updates is provided below:

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after December 31, 2020.

2. Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.

After December 31, 2020, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.

The Department of Commerce encourages Privacy Shield participants who receive personal data from the United Kingdom to use the Transition Period as an opportunity to prepare any needed updates to their privacy policies. We will continue to monitor the United Kingdom’s withdrawal from the European Union and update this guidance as needed.