For many ACT | The App Association members, the United Kingdom (UK) is a natural market to look to for growth. Many of these App Association members in the United States doing business in the UK and the European Union (EU) utilize the EU-U.S. Privacy Shield, a framework enabling U.S. companies to ensure that they can receive data from the EU in compliance with privacy laws and regulations.
With “Brexit” – the decision of the UK to withdraw from the EU – looming, it is important for App Association members to make sure they take needed steps to minimize the impact of Brexit on their businesses. App Association members certified to the EU-U.S. Privacy Shield should act immediately to update their Privacy Shield privacy policies (if they have not done so already) to ensure that they are able to continue lawfully receiving personal data from the UK post-Brexit.
First, a little background…what is the EU-U.S. Privacy Shield?
The EU-U.S. Privacy Shield, which went into effect on August 1, 2016, is used to efficiently and legally transfer data from the EU to the United States. Companies self-certify their compliance with the Privacy Shield, with oversight from the U.S. Federal Trade Commission (FTC) or U.S. Department of Transportation (DOT) under their respective authority over “deceptive” trade practices. To comply with the Privacy Shield, each participant must follow the Privacy Shield’s rules as well as have a public-facing Privacy Shield privacy policy. The App Association is a longtime supporter of the Privacy Shield, and we continue to encourage our U.S. members that do business with and/or in the EU to use the Privacy Shield to efficiently and legally receive data from the EU.
How does Brexit affect the EU-U.S. Privacy Shield?
In 2016, the UK famously voted in a national referendum to leave the EU. Since then, an overwhelming amount of news coverage has profiled the UK government’s efforts to negotiate an exit from the EU with a smooth transition and avoid a “no deal” Brexit that would flash-cut the UK’s ties to the EU. Most recently, EU leaders granted an extension to the UK, shifting the deadline for Brexit to October 31, 2019.
Brexit puts a vast number of the UK’s current legal constructs and international trade arrangements in jeopardy, including the EU-U.S. Privacy Shield. Fortunately, this past December, UK Information Commissioner’s Office (ICO) clarified that existing EU decisions, including the Privacy Shield, will remain the legal mechanism to export data from the UK. In response to Brexit’s uncertain timeline, the U.S. Department of Commerce (DOC) has published Privacy Shield and the UK FAQs, which makes recommendations for organizations certified to Privacy Shield (Privacy Shield organization) seeking to continue to enjoy its benefits with respect to the UK.
According to DOC’s Privacy Shield FAQs, there are two scenarios to be prepared for:
1. “No Transition Period” or “Hard/No-Deal Brexit” In the event that the UK and EU do not finalize an agreement on Brexit, Privacy Shield participants receiving personal data from the UK in reliance on the Privacy Shield must take the steps below by the date of the UK’s withdrawal from the EU (currently set for October 31, 2019).
2. “Transition Period” or “Soft Brexit” Currently, the UK and EU have preliminarily agreed that from the date the UK leaves the EU until December 31, 2020, EU law (including EU data protection law) will continue to apply to the UK. Should a negotiated “soft Brexit” occur that retains this date, those seeking to receive personal data from the UK in reliance on the Privacy Shield should take the steps recommended below by December 31, 2020.
Taking steps to protect your UK data flows in light of Brexit
The DOC is recommending that, in order to receive personal data from the UK and to comply with the Privacy Shield, a Privacy Shield participant do the following:
1. A Privacy Shield organization must update its public commitment to comply with the Privacy Shield to include the UK. DOC suggests U.S. Privacy Shield organizations conducting business in the UK should reference UK data transfers in their privacy policies (and if an organization plans to receive human resources [HR] data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy) with the following language:
“(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield. (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.”
2. Organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.
Whether the UK has a “no deal” Brexit on October 31, 2019, or the Brexit transition period ends on December 31, 2020, Privacy Shield organizations should update their privacy policies (and HR privacy policies) soon to comply with the new requirement.