Data, Privacy Shield and Brexit
The government has laid down new legislation to ensure that personal data transferred from the UK to Privacy Shield organisations in the US will continue to be protected under the Privacy Shield Framework should the UK leave the EU without a Withdrawal Agreement.
With the 29th March drawing ever closer, the government is looking to use its powers under the European Union (Withdrawal) Act 2018 to address deficiencies in retained EU law arising from the UK’s withdrawal of the UK from the EU.
Personal data cannot be exported out of the EU unless either it is to a country in respect of which the EU has made an adequacy decision or other safeguards have been put in place (such as using the EU model clauses or binding corporate rules).
In the case of the USA there is a special mechanism to enable cross board transfers (i.e. from the EU to the USA), known as the EU-US Privacy Shield which was approved by the European Commission on 12 July 2016 (replacing the previous Safe Harbour regime). Although concerns have been raised about the Privacy Shield, it presently allows companies in the UK to transfer personal data to US companies which are Privacy Shield certified.
As part of the Brexit the process the Data Protection Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“Main Regulations”) were introduced to amend the territorial application of the UK’s Data Protection Act 2018 after the exit day.
However, it has transpired that there was a deficiency in the Main Regulations with regards to the EU-US Privacy Shield so the draft Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) (No 2) Regulation 2019 have now been laid before parliament. These provide that transfers of personal data from the UK in reliance on the Privacy Shield can only take place after 29 March 2019 in a no deal scenario if the certified Privacy Shield organisation has updated its privacy policy to refer to personal data transfers from the UK.
What does this all mean in practical terms?
In short it means that:
- US organisations which are Privacy Shield certified will need to update their privacy policies to reflect this change, in the event of a no deal.
- UK organisations planning to transfer personal data to Privacy Shield certified organisations after exit day will need to make sure that this change has been made before doing so.
