In light of the UK’s possible departure from the European Union (EU), currently scheduled for October 31, 2019 (“Exit Day”), the UK Government has passed the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No.2) Regulations 2019 (“Regulations”) which enter into force immediately before Exit Day.

Under the Regulations, transfers of personal data from the UK to the U.S., that rely on the EU to U.S. Privacy Shield, a U.S. Department of Commerce (“DOC”) and European Commission approved framework where U.S. companies self-certify to comply with data protection principles when transferring personal data from the EU to the U.S., may only occur if at the time of the transfer the U.S. transferee’s privacy policy includes an express commitment to comply with Privacy Shield principles where the personal data is transferred from the UK.

Contemporaneously, the DOC has also published guidance requiring U.S. Privacy Shield participants to update their public commitments (e.g., privacy policies) to comply with the Privacy Shield to expressly state that such commitments extend to personal data received from the UK, upon reliance on the Privacy Shield. The DOC requires Privacy Shield participants to make such amendments to their privacy policies prior to Exit Day.