After the frenzy of activity leading up to May 2018, when Europe’s General Data Protection Regulation went into effect, the privacy front has not been as quiet as businesses might think.
Legislators across the US and other countries have been busy drafting and debating laws that are likely to take effect over the coming months and year. In my last article, I addressed legislative activity across the US that seeks to expand individuals’ privacy, such as the California Consumer Privacy Act. Here, I cover the effects an increasingly likely “no deal” Brexit might have on data transfers between the UK and other jurisdictions after Oct. 31.
In April 2018, the US Department of Commerce updated its frequently asked questions on the EU-US and Swiss-US Privacy Shield Frameworks (collectively called the Privacy Shield) to clarify the effect of the UK’s planned withdrawal from the EU on Oct. 31.
The FAQs provide information on the steps Privacy Shield participants must take to receive personal data from the UK in reliance on the Privacy Shield after Brexit. According to the FAQs, a Privacy Shield participant who would like to continue to receive personal data from the UK following Brexit must update its Privacy Shield commitments to include an affirmative statement that its commitments will extend to personal data received from the UK in reliance on the Privacy Shield.
The deadline for implementing the steps depends on whether the UK and EU are able to finalize an agreement for the UK’s withdrawal from the EU. If the UK and EU reach an agreement regarding withdrawal, it is likely there will be a transition period in which EU data protection law will continue to apply to the UK. Under the current unpopular withdrawal agreement, the transition period would give Privacy Shield participants until Dec. 31, 2020, to implement changes to their Privacy Shield commitments to bring the UK into line with the rest of the EU, once the UK leaves.
To the extent no such agreement is reached and the UK leaves without a “deal” on Oct. 31, participants must implement the changes by that date.
Data Transfers to the UK Post-Brexit
The European Commission has the power to determine (an “Adequacy Decision”) whether a country outside the EU offers an adequate level of data protection for the data of EU citizens. In July 2016, the European Commission adopted an Adequacy Decision in respect of the EU-US Privacy Shield Framework, but unfortunately it looks increasingly unlikely that the EU will make a similar decision in the case of the UK before Brexit Day on Oct. 31.
Without an agreement providing for a period of transition, on that date the UK will effectively become a third country and will be cast out of the EU’s GDPR “club” despite having passed laws which establish an equal level of protection. Without an Adequacy Decision, EU businesses transferring personal data to the UK must have adequate safeguards in place such as standard contractual clauses between transferor and transferee. The UK’s Information Commissioner has a helpful tool to help businesses consider what they have to do.
Wherever businesses are operating, it will not be long before GDPR- or CCPA-style laws are enacted, if they are not in process already. And Brexit will affect companies that receive data from the UK. Following closely what is happening elsewhere and starting to adapt policies and procedures to fall in line with the prevailing legislative attitude will lessen the impact when the times comes to comply.