Client Alert

Attention EU-U.S. Privacy Shield Participants: Here Is What You Need to Do During the Brexit Implementation Period

06 Feb 2020

Now that the United Kingdom has officially withdrawn from the European Union, all Privacy Shield participants should be prepared – by December 31, 2020 – to update their Privacy Shield commitments in order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework.

Under the terms of the UK’s Withdrawal Agreement from the EU, the EU’s General Data Protection Regulation (GDPR) will continue to apply during the transition period that runs from January 31, 2020 until December 31, 2020. During this period, the European Commission’s adequacy decision on the Privacy Shield Framework will also continue to apply to transfers of personal data from the UK to Privacy Shield participants. Moreover, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action required on the part of a participant.

However, by December 31, 2020, Privacy Shield participants who still want to receive personal data from the UK in reliance on the Privacy Shield will need to take the following steps:

  • Update publicly facing privacy policies to state specifically that their Privacy Shield commitment extends to personal data received from the UK. If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy.
  • Organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Privacy Shield Framework.

According to the updated Frequently Asked Questions issued by the Department of Commerce, organizations that do not modify their commitments accordingly will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after December 31, 2020. 

After the applicable date, organizations that have publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that have committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.

Close
Feedback

Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.