EU-US Privacy Shield – What happens after Brexit for UK companies?

The EU-US Privacy Shield covers transfers from within the European Union to the United States, but once Brexit happens, and the United Kingdom is no longer a member of the EU, where does this leave companies with the compliance of their transatlantic data transfers?

The United Kingdom is expecting to withdraw from the European Union on 29 March 2019, albeit even at this late stage, the situation remains very uncertain across the board and not just for privacy issues (as we discussed back in November 2018).

Whenever personal data is entered into a network (IT servers, SaaS applications, cloud storage) which could be accessible in the US, an act of data transmission has taken place. This could be obvious, like intra-group transfers for larger, international companies, or it could be behind the scenes - for example, if your company uses a cloud-based CRM tool and the servers are located in the US.

 Given the fact that the United States is a world-leader in IT solutions, data hosting and cloud storage, almost every company deals in US-based data processing.

The GDPR requires companies to meet certain standards when transferring personal data to non-EU countries (or “third countries”). This means that transfers from the EU to the US have to be subject to certain safeguards. One of those safeguards is the so-called EU-US Privacy Shield.

After much debate as discussed in our previous insight, the Privacy Shield Framework governing EU-US personal data transfers was reaffirmed by the European Commission in December 2018 and therefore remains a valid mechanism for personal data transfers between these two regions.

In order to legitimize their international data transfers from the UK to the US, many companies rely on the EU-US Privacy Shield Framework to ensure the safer the transfer of personal data.

Essentially, companies can self-certify under the Privacy Shield Scheme, and renew this certification every year. By becoming certified, companies are able to show that they have implemented appropriate legal safeguards for the adequate protection of personal data transferred from the continent across the Atlantic - and are therefore able to evidence compliance with the GDPR.

Whilst the UK remains within the EU, it is still possible for companies to benefit from the EU-US Privacy Shield mechanism, however after Brexit, when the UK would itself become a “third country”, things are not so certain.

The first instinct is to think that once the UK leaves the EU, the GDPR will no longer apply, but that is incorrect because the GDPR has international application and can apply to companies’ data processing activities even when they do not take place within the EU. For more information about this, see our Insights Part 1 and Part 2.

It is therefore really important that companies take appropriate steps when transferring personal data from the UK to the US to ensure that they are compliant with the law.

MAINTAINING THE PRIVACY SHIELD PROTECTION POST-BREXIT

Presuming that Brexit goes ahead on 29 March 2019, and depending on whether there will be a transition period or not, it is important that companies taking part in the Privacy Shield framework update their commitments before this date.

In the event we will see a transition period, EU law – and, therefore, that includes data protection rules – will continue to apply in the United Kingdom until 31 December 2020. This simply means that the protection granted by the EU-US Privacy Shield will continue to apply to transfers of personal data from the UK and companies participating in the Privacy Shield framework. 

There is also the possibility that there is no transition period in the event of the EU and the UK not reaching an agreement (a Hard Brexit), meaning that companies need to act fast to ensure that their EU-US Privacy Shield framework still applies to personal data coming from the United Kingdom.

According to advice from the US Department of Commerce, any organization relying on the EU-US Privacy Shield framework will have to expressly include the UK in its public commitments (i.e. within its publicly available Privacy Policies). 

If companies fail to do this, they will not be able to rely on the EU-US Privacy Shield framework to legitimized the transfer of personal data from the UK to the US after 29 March 2019, in the event of a Hard Brexit, or after 31 December 2020 provided that there is a transition period. In addition, companies relying on the EU-US Privacy Shield framework will need to continue to maintain their certification and renew it each year as it is required. 

Whilst nothing is definite yet as no agreement has been reached for Brexit or any potential transition period, it certainly makes sense for companies relying on the EU-US Privacy Shield to update their public commitments ASAP.

As always, if you are uncertain on the agreements you have in place or would like assistance with the compulsory wording to maintain Privacy Shield protection for your post-Brexit UK-US transfers, please get in touch.

Article by Soraya Redondo, Legal Consultant and Charlotte Gerrish, Founder @ Gerrish Legal

February 2019