With the deadline for a no-deal Brexit looming—the UK’s exit date from the European Union is now slated for April 12—companies certified to the EU-U.S. Privacy Shield should update their Privacy Shield privacy policies if they have not done so already to ensure that they are able to lawfully receive personal data from the UK post-Brexit.
The UK Information Commissioner’s Office (ICO) clarified this past December that existing EU adequacy decisions, including the Privacy Shield framework, would remain lawful mechanisms to export personal data outside of the UK. Since then, the U.S. Department of Commerce (DOC) has published Privacy Shield and the UK FAQs, which clarify that organizations certified to Privacy Shield will not only need to maintain their current Privacy Shield certification (including annual recertification) but also add to their public Privacy Shield commitment a separate reference to treat UK-based data transfers as subject to their Privacy Shield certification.
DOC has suggested that Privacy Shield organizations reference UK data transfers in their privacy policies similarly to the following model language:
(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield. (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
This may seem like a small change, but DOC views this as important because Privacy Shield does not carry the force of law unto itself. Rather, Privacy Shield is enforced by the Federal Trade Commission and Department of Transportation under their respective authority over “deceptive” trade practices. The key to enforcement is each participant’s public-facing Privacy Shield privacy policy: if a company represents that it complies with Privacy Shield, but does not follow Privacy Shield’s rules, its representation of compliance is treated as a “deceptive” trade practice. Therefore, if participants do not update their privacy policies—which previously were just required to state that they comply with Privacy Shield with respect to EU and/or Swiss personal information—then conceivably a Privacy Shield participant could claim that they never made a claim of compliance with respect to the transfer of UK personal information. So to remain a participant in the program, DOC is requiring the privacy policy update to expressly reference UK data.
Our blog has been tracking Brexit’s uncertain timeline and its implications for privacy compliance. UK privacy regulators have issued guidance accounting for two eventualities that also are reflected in the DOC’s Privacy Shield FAQs: (1) “No-deal” or “hard” Brexit, after which there would be no transition period for shifting to UK rules, or (2) “soft” Brexit that would permit a year-long transition period during which EU rules would still apply. Because it is still unclear whether the UK and EU will finalize their withdrawal agreement implementing the transition period, Privacy Shield certified organizations should plan for a “hard” Brexit that would require updated privacy policies by April 12, 2019 or May 22, 2019 (depending on which “hard” Brexit date is used). In case of a “soft” Brexit according to the current draft withdrawal agreement, Privacy Shield organizations would have until December 31, 2020 to comply with the new requirement.
Organizations certified to Privacy Shield also should understand DOC’s view that if they previously selected the EU Data Protection Authority Panel as their external dispute resolution method (or if they use Privacy Shield to transfer human resources data, in which case the EU Data Protection Authority Panel applies by default), they will be required to “cooperate and comply” with the ICO in the event of a complaint by a UK resident. If selected, EU Data Protection Authority Panel has authority to issue binding “advice” to Privacy Shield organizations in response to disputes raised by data subjects, at which point the organization must comply within 25 days.
[View source.]
