Now that the United Kingdom has officially withdrawn from the European Union, all Privacy Shield participants should be prepared – by December 31, 2020 – to update their Privacy Shield commitments in order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework.
Under the terms of the UK’s Withdrawal Agreement from the EU, the EU’s General Data Protection Regulation (GDPR) will continue to apply during the transition period that runs from January 31, 2020 until December 31, 2020. During this period, the European Commission’s adequacy decision on the Privacy Shield Framework will also continue to apply to transfers of personal data from the UK to Privacy Shield participants. Moreover, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action required on the part of a participant.
However, by December 31, 2020, Privacy Shield participants who still want to receive personal data from the UK in reliance on the Privacy Shield will need to take the following steps:
According to the updated Frequently Asked Questions issued by the Department of Commerce, organizations that do not modify their commitments accordingly will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after December 31, 2020.
After the applicable date, organizations that have publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that have committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.