22 January 2019

Transfers of Personal Data from the EU to the U.S. in the Event of a Brexit ‘No-Deal’

The EU-U.S. Privacy Shield (“Privacy Shield”) enables the free-flow of personal data from the European Economic Area (“EEA”) to the U.S. Under the Privacy Shield, U.S. participant organisations commit to adhering to Privacy Shield principles, which include accountability for the onward transfer of personal data after receiving such data from EEA organisations, data integrity obligations and purpose limitations with respect to the personal data transferred. Privacy Shield participant organisations are also required to develop and maintain a Privacy Shield-compliant privacy policy which informs individuals of the organisation’s practices and procedures when handling personal data and explains the independent recourse mechanisms in place for individuals to address complaints with respect to the processing of their personal data. 

On 15 January 2019, the U.K. Parliament rejected the draft Withdrawal Agreement, negotiated by the British Prime Minister Theresa May and the EU, by 432 votes to 202. Under the terms of the Withdrawal Agreement, the UK would have remained a member of the EU until December 31, 2020 and therefore UK organisations would be able to rely on the Privacy Shield in order to transfer personal data from the UK to the U.S. until such date.

As it currently stands, on 29 March 2019, which is the UK’s scheduled departure from the EU, the UK will be treated as a third country and thus not an EU Member State (“no-deal”). However, the UK’s data protection authority, the Information Commissioner’s Office (the “ICO”), has recently issued guidance stating UK organisations will continue to be able to rely on the Privacy Shield in the event of a ‘no-deal’, provided U.S. Privacy Shield participant organisations have updated their public commitments to comply with the Privacy Shield (e.g., privacy policies) to expressly state such commitments also apply to transfers of personal data from the UK as well as the EU.

The ICO recommends UK organisations who wish to continue to transfer personal data to U.S. organisations via the Privacy Shield should check prior to transfer that the U.S. organisation in question has made the required updates to its commitment to comply with the Privacy Shield. Confirmation of such updates can be done through checking the U.S. organisation’s privacy policy.

Helpfully, the U.S. Department of Commerce (the “DoC”), the U.S. government authority in charge of monitoring compliance with the Privacy Shield has updated their Privacy Shield FAQs to include a section titled ‘Privacy Shield and the UK FAQs’. The DoC has advised Privacy Shield participant organisations that in order to receive personal data from UK organisations in the event of a no-deal, they must update their Privacy Shield commitments (e.g., privacy policy) by March 29, 2019, to include an express confirmation that the organisation complies with the Privacy Shield regarding the collection, use, and retention of personal information transferred from the EU and the United Kingdom to the U.S.

In brief, the Privacy Shield can continue to be used to transfer data from the UK to the U.S. provided that organisations update their privacy policies by March 29, 2019, to include an express confirmation that the organisation complies with the Privacy Shield with respect to personal information transferred from the EU and the United Kingdom to the U.S.

These commitments from the ICO and the DoC represent a welcome development in the ongoing government discussions on the free flow of personal data between the UK and the U.S. and provides a welcome reassurance to organisations in both the EU and the U.S. that in the event of a no-deal, there will continue to be a transfer model enabling the legitimate transfer of personal data between the EU-U.S.

EmailShare
XSLT Plugin by BMI Calculator