On 20 December 2018, the US Department of Commerce issued updated standards of compliance for participants in the EU-US Privacy Shield Framework (“Privacy Shield”) to continue receiving personal data from the UK in reliance on the Privacy Shield after Brexit (which is due to take place on 29 March 2019). By way of a reminder, Privacy Shield is a framework for protecting the fundamental rights of anyone in the EU whose personal data is transferred to the United States for commercial purposes.

After Brexit, US organisations participating in Privacy Shield must implement the following additional measures:

  1. Any statement setting out a public commitment to comply with the Privacy Shield must expressly confirm that the commitment extends to personal data received from the UK in reliance on Privacy Shield. Furthermore, if a participant plans to receive Human Resources (“HR”) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy; and
  2. A current Privacy Shield certification must be maintained and recertified annually.

The deadline for participants to adopt these measures will depend on whether the UK Government is able to finalise a withdrawal agreement with the EU. A participant that does not implement these measures will not be able to rely on the Privacy Shield to receive personal data from the UK after 29 March 2019 if there is no deal (i.e. no transition period) or 31 December 2020 at the end of the transition period in the event that the UK Government finalises a deal with the EU (each an “Applicable Date”). During the transition period the European Commission’s adequacy decision on the level of protection afforded to personal data by Privacy Shield would continue to apply (meaning it is treated as essentially equivalent to the level of data protection offered by EU law). Please see our blog from November 2018 for further information about the draft withdrawal agreement and the effect of adequacy decisions.

After the Applicable Date, a participant that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK will be required to cooperate and comply with the Information Commissioners Office (the UK’s data protection regulator).