Attention EU-U.S. Privacy Shield Participants: What You Need to Do to Get Ready for the UK Withdrawal from the EU

01/07/2019
Client Alert

All Privacy Shield participants should be prepared — possibly as soon as March 30, 2019 — to update their Privacy Shield commitments in order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework.

The timing of this required update depends on whether the UK Parliament approves the agreement on the terms of the UK’s exit from the EU on March 29, 2019 (“the Withdrawal Agreement”).  The Withdrawal Agreement provides for an 18-month transition period in which EU law, including the data protection law and the Privacy Shield adequacy decision, will continue to apply to and in the UK.  During the transition period, the United States will consider a Privacy Shield participant’s commitments to comply with the Privacy Shield Framework to include personal data received from the UK in reliance on Privacy Shield.  Provided the UK Parliament approves the Withdrawal Agreement, Privacy Shield participants will not need to update their Privacy Shield commitments until December 31, 2020

However, if the UK Parliament does not approve the Withdrawal Agreement and the UK exits the EU without a transition period (barring, of course, a new, eleventh hour deal), then all Privacy Shield participants will need to update their Privacy Shield commitments by March 30, 2019.

Either by March 30, 2019 or December 31, 2020, Privacy Shield participants will need to take the following steps:

  • Update publicly facing privacy policies to state specifically that their Privacy Shield commitment extends to personal data received from the UK.  If it plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, an organization must also update its HR privacy policy.
  • Organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Privacy Shield Framework.

According to the Frequently Asked Questions issued by the Department of Commerce, organizations that do not modify their commitments accordingly will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after either March 29, 2019, if there is no transition period, or December 31, 2020, at the end of the transition period.

After the applicable date, organizations that have publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that have committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.

Email Disclaimer

Unsolicited e-mails and information sent to Morrison & Foerster will not be considered confidential, may be disclosed to others pursuant to our Privacy Policy, may not receive a response, and do not create an attorney-client relationship with Morrison & Foerster. If you are not already a client of Morrison & Foerster, do not include any confidential information in this message. Also, please note that our attorneys do not seek to practice law in any jurisdiction in which they are not properly authorized to do so.

©1996-2019 Morrison & Foerster LLP. All rights reserved.