All Privacy Shield participants should be prepared — possibly as soon as March 30, 2019 — to update their Privacy Shield commitments in order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework.
The timing of this required update depends on whether the UK Parliament approves the agreement on the terms of the UK’s exit from the EU on March 29, 2019 (“the Withdrawal Agreement”). The Withdrawal Agreement provides for an 18-month transition period in which EU law, including the data protection law and the Privacy Shield adequacy decision, will continue to apply to and in the UK. During the transition period, the United States will consider a Privacy Shield participant’s commitments to comply with the Privacy Shield Framework to include personal data received from the UK in reliance on Privacy Shield. Provided the UK Parliament approves the Withdrawal Agreement, Privacy Shield participants will not need to update their Privacy Shield commitments until December 31, 2020.
However, if the UK Parliament does not approve the Withdrawal Agreement and the UK exits the EU without a transition period (barring, of course, a new, eleventh hour deal), then all Privacy Shield participants will need to update their Privacy Shield commitments by March 30, 2019.
Either by March 30, 2019 or December 31, 2020, Privacy Shield participants will need to take the following steps:
- Organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Privacy Shield Framework.
According to the Frequently Asked Questions issued by the Department of Commerce, organizations that do not modify their commitments accordingly will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after either March 29, 2019, if there is no transition period, or December 31, 2020, at the end of the transition period.
After the applicable date, organizations that have publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that have committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.