The United Kingdom left the European Union at 11:00 pm on January 31, 2020. However, the UK has entered into transitional arrangements with the EU under which the existing data protection frameworks established by the GDPR, including the EU-US Privacy Shield, will continue to apply until December 31, 2020 (the period until such date, the “transition period”).
What happens now?
In its recent statement, the UK’s data protection regulator (the Information Commissioner’s Office) confirmed that organizations do not need to take any immediate action at this point. As such, organizations should continue to follow existing guidance in relation to their data processing and transfer operations concerning the UK.
The ICO has also updated its Brexit FAQs to reiterate that, during the transitional period:
- data transfers between the UK and the European Economic Area will not be restricted
- there is no need for organizations without offices, branches or other establishments in the EEA to appoint a European representative
- the ICO will continue to be a “Lead Supervisory Authority” for relevant organizations established in the UK
What happens at the end of the transition period?
Barring an extension, this transitional arrangement will come to an end on December 31, 2020. Organizations will need to consider what the position will be at this point and how to prepare. That said, the UK-specific data protection regime that will apply after the transition period is likely to be closely aligned with the GDPR.
Can organizations rely on the EU-US Privacy Shield during the transition period?
During the transition period, UK data exporters and Privacy Shield participants can continue to rely on the Privacy Shield as a legal basis for transfers in the same fashion as they did before the UK left the EU.
Indeed, the United States Department of Commerce’s newly updated Privacy Shield and the UK FAQs confirms that Privacy Shield participants do not need to take any action to continue to rely on the Privacy Shield for personal data received from the UK during the transition period.
What needs to be done to continue to rely on the Privacy Shield after the transition period?
Privacy Shield participants
Privacy Shield participants need to:
- have extended their public commitments (and/or HR privacy policies, where relevant) before the end of the transition period, to specifically include personal data received from the UK
- maintain their Privacy Shield certification going forward
As a note: the Department of Commerce’s guidance indicates that US organizations that extend their public commitments (and/or HR privacy policies) to include data received from the UK will be taken to have committed to cooperate and comply with the ICO in respect of that data.
UK-based data exporters relying on importers’ Privacy Shield certifications
Once the transition period is over, the ICO’s International Data Transfer Guidance confirms that relevant UK data exporters need to have ensured that Privacy Shield participants have updated their public commitments in the fashion described above.
This means that UK-based exporters need to check that the public commitments expressly state they apply to transfers of personal data from the UK, as well as data received from the EU.
The easiest way to do this should be to check the relevant Privacy Shield-certified organizations’ privacy notices.
What other planning needs to be done pre-2021?
Although we cannot be definitive at this stage, any planning for expiry of the transition period could involve:
- establishing GDPR-compliant safeguards to ensure data can continue to flow from the EEA to the UK
- taking the steps described above where the Privacy Shield is relevant
- UK organizations appointing European representatives, as and when required by the GDPR
- making any necessary updates to the contents of privacy notices to reflect the UK’s potential “third country” status (if no adequacy decision is received before 2021)