Since the fall of Safe Harbor, Privacy Shield has governed how personal data can be transferred from Europe into the US. However, with the UK’s exit from the European Union (EU) looming, organizations need to look at how data is transferred from the UK to the US – whether internally among a company’s different locations or externally to different partners – as well as the notion of using the UK as a base for EU operations.
While the political situation around Brexit is in a near-constant state of flux, companies on both sides of the Atlantic should be aware that they will likely need to take action with regard to ensuring compliant data transfers no matter how the UK leaves the EU.
Data transfers under Privacy Shield
Currently all personal data moving from the UK to the US is governed under the Privacy Shield framework agreed to by the EU and the US. In place since February 2016, Privacy Shield is designed to ensure the free flow of personal data between the EU and US while at the same time obligating US companies to comply with the EU’s data protection requirements around the personal data of EU citizens.
These requirements come in the form of Privacy Shield Principles such as notice, choice, accountability for onward transfer, data integrity and purpose limitation. It also requires processes for dealing with complaints, employee training, and disciplinary actions. The framework is self-certified and must be renewed annually. The Privacy Shield site maintains a list of certified companies.
“The self-certification process is fairly rigorous,” explains Steven Chabinsky, partner, White & Case. “Organisations must have a published privacy policy regarding personal information received from the EU that is accurate, comprehensive, prominently displayed, completely implemented and accessible. They must also indicate and verify that their privacy policy conforms to the 23 Privacy Shield Principles, as applicable.”
Depending on what kind of Brexit the UK undergoes, data transfers between the UK and the EU will either be covered by a withdrawal agreement if one is put forward or, if there is a no deal, UK companies will need to implement either Standard Contractual Clauses or Binding Corporate Rules to ensure compliant flows of information between the two territories. However, while not needing such drastic amendments, data transfers going from the UK into the US post-Brexit will need closer inspection and slight amendments.
What happens to Privacy Shield after Brexit?
The good news is that whatever kind of Brexit happens, data can continue to flow from the UK to the US. Under the withdrawal agreement tabled under previous Prime Minister Theresa May, the UK would have been subject to a transition period where current data protection agreements such as Privacy Shield would still have been valid and unaffected until 2020. If this, or a very similar, withdrawal agreement is put forward again, companies in the UK and US will continue as before but will need to be aware of updated guidance for how to prepare for what happens after any transition period.
In the event of a no-deal Brexit, the UK has said it plans to keep all the adequacy decisions the EU has made, including Privacy Shield, after it leaves the bloc. This means that the UK government and Information Commissioner’s Office (ICO) will deem the controls and protections Privacy Shield requires for certification as good enough to ensure data transfers from the UK to the US without any additional protections.
However, while US companies won’t need be required to change their data protection standards processes in the event of Brexit, they will need to make slight changes to their public commitments to Privacy Shield. The Privacy Shield’s UK FAQs page has been updated to include the wording US companies will need to include in their Privacy Shield commitments in the event of no deal. These are largely limited to adding “United Kingdom” to current commitment statements.
“An organization that has committed to cooperate and comply with the EU Data Protection Authority panel under the framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office with regard to personal data received from the UK in reliance on Privacy Shield,” says Caitlin Fennessy, senior privacy fellow at the International Association of Privacy Professionals (IAPP) and previously Privacy Shield Director at the US International Trade Administration.
Since the US does not have any equivalent restrictions around data flows, information going from the US into the UK or EU should not be affected by Brexit. However, US companies will need to aware that using the UK as a base for EU operations will be affected, and companies dealing with personal data from Europe will have two similar but separate regimes to consider.
“US businesses with UK and EU offices will need to ensure that they understand the data flows between jurisdictions and the basis upon which those flows operate,” Karl Foster, privacy expert and legal director at Blake Morgan. “After Brexit, the UK will sit outside the EU regulatory regime, and US businesses may need to designate establishments in both UK and EU if the data relates to both jurisdictions. In the event of a regulatory investigation, it would face two investigations by the ICO and relevant EU lead supervisory authority (potentially for the same processing activities).”
What UK companies need to do about Privacy Shield and Brexit
For UK organizations, the ICO has stated that in the event of no deal, “UK businesses will continue to be able to transfer personal data to US organisations participating in the Privacy Shield provided those US organisations have updated their public commitment to comply with the Privacy Shield to expressly state that those commitments apply to transfers of personal data from the UK.”
UK organisations will need to check that the US organisations they are sending data to have updated their commitments to compliance with the Privacy Shield to include the UK in its privacy policy wording and will need to check that companies they are sending data to still maintain an active Privacy Shield certification.
“UK companies will need to check whether Privacy Shield-certified recipients have made that commitment in their privacy notices, and if not, request that they do so,” explains Bridget Treacy, partner at Hunton Andrews Kurth. “If recipients are unable or unwilling to do so, UK companies will need to consider other available data transfer mechanisms in relation to the transfers, such as EU Model Clauses.”
Although many things could change post-Brexit, data protection regimes probably won’t. The UK will have powers to revoke or grant its own adequacy decisions post-Brexit, but the ICO hasn’t made any comments around this and there has been little indication that Privacy Shield will be affected in such a way. “If Privacy Shield continues to be deemed adequate by the EU, the UK will continue to recognize this and leverage the existing measures,” says Blake Morgan’s Foster.
Could the UK end up with its own Privacy Shield?
Ideally, the EU will deem the UK “adequate” at some point after Brexit has occurred. Such a decision will ensure the free flow of data between the UK and EU without the need for additional controls or contractual agreements.
Although the UK’s Data Protection Act brings GDPR into UK law and theoretically puts the country on an equal footing as the EU in terms of data protection standards, an adequacy statement isn’t guaranteed. The UK’s Investigatory Powers Act (also known as the “Snooper’s Charter”) and the passing on intelligence or national security data as part of the Five Eyes alliance may present potential stumbling blocks to any adequacy decision if the EU decides they contravene EU citizens' rights.
“The UK will not be automatically awarded adequacy status and frustratingly, the European Commission has said it will not commence an adequacy assessment until the UK has left the EU,” says William Charlesworth, associate lawyer at Child & Child. “Will the UK pass the test? While the UK’s own data protection legislation broadly mirrors the provisions of the GDPR, the EU has expressed concerns that the UK’s crime and national security legislation could be said to violate an individual’s privacy, so adequacy may hang in the balance.”
None of the legal experts CSO contacted thought it was likely that the UK would enter its own Privacy Shield-like agreement with the EU, nor join the current Privacy Shield agreement as a mechanism for sending data between the two. All thought an adequacy decision was the most likely outcome, even if it may take some time to happen.
“As with a Privacy Shield, the process for adequacy approval typically takes some time to negotiate, so this is not a quick fix solution,” says Hunton Andrews Kurth’s Treacy. “Typically, those types of agreements take several years to negotiate and agree, so if the EU or US and the UK government were to begin talks, it would likely be at least several years until any arrangements came into effect.”