Articles | Privacy Shield update in light of Brexit

Cathrine Ripley, partner in the commercial and technology team at FSP, considers the recent comments made about the draft Privacy Shield arrangement and what impact Brexit will have on the arrangement itself.


1 London Street,

+44 (0)118 951 6200


Cathrine Ripley

Cathrine Ripley

Right now, there is a great deal of uncertainty around the implications of Brexit. The outcome of the UK’s referendum on its membership of the EU is already having immediate political and financial consequences for the UK. In time, UK law will be affected - for example, reforms such as the General Data Protection Regulation (Regulation) framework, which is due to update the existing data protection across the EU in 2018 may not directly apply. However, if the UK wishes to continue trading with the single market once it leaves the EU it is very likely that it will need to have in place the same data protection standards as apply across the EU. To that end, the Information Commissioner’s Office (ICO) has already put out a statement, following the referendum result, confirming that it will seek ‘equivalent’ data protection standards to the Regulation’s framework.

Brexit & Privacy Shield

So what of EU-US data transfers? On June 24, it was reported that US regulators and the European Commission had agreed on a finalised version of the Privacy Shield, the successor to Safe Harbor.

Given that the general consensus over the previous draft of the Privacy Shield amongst MEPs was that despite negotiations between the European Commission and US administration there still remained a number of “deficiencies”, it is encouraging to hear that the revised draft is said to address a number of these concerns.

The latest draft, has not yet been made public, but early reports suggest that some deficiencies with the arrangement have been remedied such as:

  • allowing bulk data to be collected which does not meet the requisite criteria of "necessity" and "proportionality";
  • making no provision for the US ombudsperson, appointed to address complaints, to be sufficiently independent; and
  • permitting personal data to be retained longer than the purpose for which it was collected.

What next?

Despite being overshadowed by recent events, the status of the Privacy Shield arrangement remains of great interest to European companies and those in the US alike. Whilst the Privacy Shield arrangement may not, as yet, cover transfers of personal data to the UK, it is thought that the ICO might approve the arrangement for UK-US transfers or set up a similar alternative method for such transfers.

As for the revised draft of the Privacy Shield, it is currently with the Article 31 Working Party, which is imminently expected to decide upon whether to accept it in its current form or not. With Europe’s economy recovering from a post-Brexit shock it would be advantageous for the arrangement to be approved as swiftly as possible in order provide some much needed business certainty for EU-US data transfers. We await with anticipation the Working Party’s decision.

For now, the UK is still part of the EU and the message in respect of data protection remains clear: keep calm and carry on complying with the UK’s Data Protection Act 1998 which as the ICO stated remains the law of the land irrespective of the referendum result.