On midnight January 31, 2020, the United Kingdom’s law formally governing its exit from the European Union went into effect. From a data protection perspective, however, Brexit has not resulted in any changes in law. In fact, The EU Withdrawal Agreement implements a transition period to resolve post Brexit concerns and other formalities through December 31, 2020. During that time period, most EU law (including GDPR) will continue to apply, and, presumably, the UK will establish its own international data transfer regime in cooperation with appropriate EU data protection regulators.
In light of Brexit, the US Department of Commerce has issued guidance advising EU-U.S. Privacy Shield participants on the steps necessary to remain in compliance with the Privacy Shield Framework both during and after the Transition Period.
During the Transition Period
During the transition period, the European Commission’s decision regarding the Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants. For businesses operating in the United States, current commitments to comply with the EU-US Privacy Shield framework will be considered applicable to the UK as well without a need for any additional action.
After the Transition Period
We can expect to see additional guidance as Brexit developments for international transfers of personal data continue to unfold. In fact, the EU has already set up a Task Force, and committed to beginning the EU’s adequacy assessment of the UK “as soon as possible,” with the UK committing to reciprocate in terms of its own assessment of EU adequacy.
To learn more about the Privacy Shield Framework generally, visit https://www.privacyshield.gov/. Model language for an updated public commitment to comply with the Privacy Shield, including the UK, may be found at Privacy Shield and the UK FAQs.