Three and a half years after UK citizens voted to leave the EU, the country officially left the Union on January 31. One of the many questions resulting from the departure is what happens to the EU-U.S. Privacy Shield as it applies to personal data transferred from the UK. The Commerce Department’s FAQs on Privacy Shield and the UK provide some answers; we highlight the key points below.
December 31, 2020 is the key date to watch. That is the end date for the UK-EU Transition Period. During this time, the European Commission will continue to consider personal data transfers from the UK under Privacy Shield as receiving adequate data protection. Privacy Shield-certified entities will not have to take any additional action to cover transfers that occur during this Transition Period.
However, certified entities will need to make some adjustments this year to continue to transfer personal data from the UK under Privacy Shield after the Transition Period. Specifically, a Privacy Shield-certified entity must take the following steps prior to December 31, 2020:
- Update its public commitment to specify that it will apply Privacy Shield protections to personal data transferred from the UK. The FAQs provide model language for this commitment. Entities that will use Privacy Shield to transfer employment data from the UK must also make a corresponding disclosure in their HR privacy policies.
- Maintain a current Privacy Shield certification, comply with Privacy Shield’s requirements, and continue to recertify annually.
Entities that rely on Privacy Shield for transferring personal data from the UK should keep these requirements (and all other Privacy Shield requirements) in mind when reviewing their compliance materials for Privacy Shield recertification.
- Privacy law 101
- Data security and breaches
- E-Mail, calls, and text marketing