On January 31, 2020, the International Trade Association’s Privacy Shield Team issued guidance concerning changes to Privacy Shield Framework in the wake of the United Kingdom’s exit from the European Union. For those wondering how Brexit will impact cross-border data transfers, here are a couple items to note.
First, during the Transition Period from January 31, 2020 until December 31, 2020, EU laws governing the Privacy Shield Framework remain in place and no additional action is required on the part of Privacy Shield participants.
Second, once the Transition Period ends, Privacy Shield participants will be required to:
1) Update their public commitment to comply with Privacy Shield to expressly include the UK. The model language for adding a UK commitment is as follows:
“(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield. (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.”
2) Organizations must also maintain their current Privacy Shield certification, and recertify annually as required by the Framework.
For additional information, please see the following: https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs