The Department of Commerce recently issued a number of FAQs on the effect of the UK’s impending exit from the EU on the Privacy Shield. As these FAQs make clear, there remains significant uncertainty as to how the UK’s exit will play out from a transitional perspective, and Privacy Shield participants will need to plan for at least two different scenarios.
In the first scenario, the UK and the EU manage to finalize an agreement on a transitional period – from the planned date of the UK’s exit, March 30, 2019, to December 31, 2020 – during which EU law (and EU data protection law) will continue to apply in the UK. In the second scenario, the UK and the EU do not agree to a transitional period, and the UK’s exit from the EU takes full effect on March 29, 2019.
At the end of the transitional period, or by March 29, 2019 if there is no transitional period, the FAQs explain that participants will need to take the following steps in order to receive personal data from the UK in reliance on the Privacy Shield, after which they “will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office” with respect to such data:
- Update their “public commitment to comply with the Privacy Shield to include the UK.” If participants receive HR data in reliance on the Privacy Shield, they must also update their HR privacy policies. The FAQs include model language for such updates that builds on the Department of Commerce’s existing language on participation in the Privacy Shield.
- Continue to maintain a current certification, and recertify annually as required by the Privacy Shield.