Britain’s withdrawal from the European Union (EU) past the original deadline day of March 29th2019.

The UK will continue to be an EU Member State during this time, and the EU’s laws will continue to apply to Britain.

The duration of the extension period has not yet been decided, but updates will be given as soon as details emerge.

Participants of the EU/US Privacy Shield Framework, which regulates transatlantic exchanges of personal data for commercial purposes between the two regions, must update their Privacy Shield commitments by the Applicable Date (below) depending on how Brexit plays out.

Potential scenarios include:

Scenario 1: Designated Transition Period

The UK and the EU have preliminarily agreed that a Transition Period will take place from the date upon which the UK leaves the EU, lasting until December 31st 2020.

During this time, EU data protection law will continue to apply in the UK, and the EC’s decision on the adequacy of the protection provided by Privacy Shield will also continue to apply to transfers of personal data from the UK to Privacy Shield participants.

Throughout the Transition Period, the US will review Privacy Shield’s participants commitments to align with the Framework to include personal data received from the UK in reliance on Privacy Shield without further action needed on the part of the Participant.

Privacy Shield participants intending on receiving personal data from the UK in reliance of Privacy Shield beyond the end of the Transition Period must follow the guidelines below by the Applicable Date of December 31st, 2020.

The Department of Commerce has urged Privacy Shield participants to use the Transition Period to update their privacy policies.

Scenario 2: No Transition Period

In the event of a “no-deal” Brexit, a Transition Period will not apply. In this eventuality, Privacy Shield participants relying on Privacy Shield must follow the steps below by the Applicable Date of April 12th2019 or May 22nd 2019, depending on the UK’s withdrawal data from the EU.

Updates by the Applicable Date:To receive personal data from the UK in reliance on Privacy Shield in the case of no Transition Period, or after the Transition Period, a Privacy Shield participant will be required to adhere to the following:

  1. A Privacy Shield organization must update its public commitment to comply with the Privacy Shield to include the UK. Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield.
If an organisation plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy.
  1. Organisations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.
An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after the Applicable Date.

About Privacy Shield

The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.