Organisations using Privacy Shield need to update privacy notices in case of a no-deal Brexit

What impact will Brexit have on international data transfers?

With the UK’s departure from the EU potentially imminent, a key area of change for organisations will be international data transfers. After developments on Thursday 21 March, the EU has granted two extension dates to the UK, dependent on whether the Withdrawal Agreement is approved. If it is approved, the departure date will be 22 May 2019 (unless the UK agrees to participate in European elections, which the government says it does not intend to). If it is not approved, and the government does not set out a Plan B which is acceptable to the EU, the UK could leave the EU on 12 April 2019 without a deal being reached. 

The final stages of the Brexit process therefore remain unclear and organisations need to be prepared for a potential exit from the EU on 12 April 2019.

How do organisations currently transfer data?

Under the current law, as the UK is a member of the EU, a common method used by organisations to transfer personal data between the UK and USA is through the EU-US Privacy Shield. This is a certification method for US organisations which provides an “adequacy decision” for data transfers between the EU and the USA (certifying that adequate protections are in place for personal data transferred to the US).  Similar arrangements apply for data transfers between Switzerland and the USA and there is a separate Switzerland-US Privacy Shield for this purpose.

What will change in the event of a No-Deal Brexit?

However, in the event of the UK leaving the EU without a deal on 12 April 2019, organisations will only be able to rely on the Privacy Shield to transfer data from the UK to the US if they have updated their Privacy Shield wording to refer to personal data transfers from the UK. They will need to have the revised wording in place from 12 April 2019. There is suggested wording for updating the Privacy Shield wording on the Privacy Shield Program’s website.

What steps should companies take to protect themselves moving forwards?

Organisations need to urgently review their policies - both US organisations certified under the Privacy Shield and UK organisations that rely on the Privacy Shield to transfer personal data to the US. UK organisations should check that the US organisations have made the necessary updates to their commitment to compliance with the Privacy Shield to include UK data transfers (for example by checking the US organisation's publicly available privacy policy). Privacy notices also need to be updated to reflect the new position.   

If the UK’s Withdrawal Agreement negotiated with the EU is approved by Parliament, the current EU-Privacy Shield framework will permit transfers to take place during the transition period, as the GDPR will continue to apply during the transition (i.e.until 31 December 2020). However, in the absence of a deal (or an extension being agreed), the changes could be imminent and need to be addressed as a matter of urgency.