On 15 January 2019, the U.K. Parliament rejected the draft Withdrawal Agreement, negotiated by the British Prime Minister Theresa May and the EU, by 432 votes to 202. Under the terms of the Withdrawal Agreement, the UK would have remained a member of the EU until December 31, 2020 and therefore UK organisations would be able to rely on the Privacy Shield in order to transfer personal data from the UK to the U.S. until such date.
As it currently stands, on 29 March 2019, which is the UK’s scheduled departure from the EU, the UK will be treated as a third country and thus not an EU Member State (“no-deal”). However, the UK’s data protection authority, the Information Commissioner’s Office (the “ICO”), has recently issued guidance stating UK organisations will continue to be able to rely on the Privacy Shield in the event of a ‘no-deal’, provided U.S. Privacy Shield participant organisations have updated their public commitments to comply with the Privacy Shield (e.g., privacy policies) to expressly state such commitments also apply to transfers of personal data from the UK as well as the EU.
In brief, the Privacy Shield can continue to be used to transfer data from the UK to the U.S. provided that organisations update their privacy policies by March 29, 2019, to include an express confirmation that the organisation complies with the Privacy Shield with respect to personal information transferred from the EU and the United Kingdom to the U.S.
These commitments from the ICO and the DoC represent a welcome development in the ongoing government discussions on the free flow of personal data between the UK and the U.S. and provides a welcome reassurance to organisations in both the EU and the U.S. that in the event of a no-deal, there will continue to be a transfer model enabling the legitimate transfer of personal data between the EU-U.S.