Jan 222019

Transfers of Personal Data from the EU to the U.S. in the Event of a Brexit ‘No-Deal’

Jasmine Agyekum, Geraldine Scali, William RM Long and Alan Charles Raul
, , , , ,

The EU-U.S. Privacy Shield (“Privacy Shield”) enables the free-flow of personal data from the European Economic Area (“EEA”) to the U.S. Under the Privacy Shield, U.S. participant organisations commit to adhering to Privacy Shield principles, which include accountability for the onward transfer of personal data after receiving such data from EEA organisations, data integrity obligations and purpose limitations with respect to the personal data transferred. Privacy Shield participant organisations are also required to develop and maintain a Privacy Shield-compliant privacy policy which informs individuals of the organisation’s practices and procedures when handling personal data and explains the independent recourse mechanisms in place for individuals to address complaints with respect to the processing of their personal data. 

On 15 January 2019, the U.K. Parliament rejected the draft Withdrawal Agreement, negotiated by the British Prime Minister Theresa May and the EU, by 432 votes to 202. Under the terms of the Withdrawal Agreement, the UK would have remained a member of the EU until December 31, 2020 and therefore UK organisations would be able to rely on the Privacy Shield in order to transfer personal data from the UK to the U.S. until such date.

As it currently stands, on 29 March 2019, which is the UK’s scheduled departure from the EU, the UK will be treated as a third country and thus not an EU Member State (“no-deal”). However, the UK’s data protection authority, the Information Commissioner’s Office (the “ICO”), has recently issued guidance stating UK organisations will continue to be able to rely on the Privacy Shield in the event of a ‘no-deal’, provided U.S. Privacy Shield participant organisations have updated their public commitments to comply with the Privacy Shield (e.g., privacy policies) to expressly state such commitments also apply to transfers of personal data from the UK as well as the EU.

The ICO recommends UK organisations who wish to continue to transfer personal data to U.S. organisations via the Privacy Shield should check prior to transfer that the U.S. organisation in question has made the required updates to its commitment to comply with the Privacy Shield. Confirmation of such updates can be done through checking the U.S. organisation’s privacy policy.

Helpfully, the U.S. Department of Commerce (the “DoC”), the U.S. government authority in charge of monitoring compliance with the Privacy Shield has updated their Privacy Shield FAQs to include a section titled ‘Privacy Shield and the UK FAQs’. The DoC has advised Privacy Shield participant organisations that in order to receive personal data from UK organisations in the event of a no-deal, they must update their Privacy Shield commitments (e.g., privacy policy) by March 29, 2019, to include an express confirmation that the organisation complies with the Privacy Shield regarding the collection, use, and retention of personal information transferred from the EU and the United Kingdom to the U.S.

In brief, the Privacy Shield can continue to be used to transfer data from the UK to the U.S. provided that organisations update their privacy policies by March 29, 2019, to include an express confirmation that the organisation complies with the Privacy Shield with respect to personal information transferred from the EU and the United Kingdom to the U.S.

These commitments from the ICO and the DoC represent a welcome development in the ongoing government discussions on the free flow of personal data between the UK and the U.S. and provides a welcome reassurance to organisations in both the EU and the U.S. that in the event of a no-deal, there will continue to be a transfer model enabling the legitimate transfer of personal data between the EU-U.S.

Jasmine Agyekum

jagyekum@sidley.com

Geraldine Scali

gscali@sidley.com

William RM Long

London

wlong@sidley.com

Alan Charles Raul

Washington, D.C., New York

araul@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

How the China Personal Information Protection Law Applies to Foreign Asset Managers

Since China’s Personal Information Protection Law (PIPL) came into effect in November 2021, there has been widespread uncertainty amongst offshore fund managers and investors with entities outside Mainland China as to how and whether the regime applies to them. Given the potential for foreign asset managers to overlook or misinterpret PIPL, this brief update outlines some guidance as to how PIPL can apply, and to whom, in a practical context.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.