The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.
Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed.
ICO guidance and a set of FAQs posted on the Privacy Shield website had suggested that organisations would continue to be able to rely on the Privacy Shield but only provided certain administrative steps had been taken. However, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 published earlier this year simply stated that the Privacy Shield was adequate for UK GDPR purposes. This appeared to conflict with the information provided on the Privacy Shield website and from the UK regulator.
The newly published Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019 (the “New Regulations“) have now sought to clarify the issue. They align with the position set out on the Privacy Shield website and provide that organisations can only rely on the Privacy Shield to legitimise their transfer of personal data to the US provided that the receiving entity (registered on the Privacy Shield List) has included a public commitment in its privacy policy to comply with the Privacy Shield Principles where the personal data is transferred from the United Kingdom (as well as from the EU). In practice, this means that organisations in the UK transferring to a US entity will need to: (a) check that the entity is validly registered on the Privacy Shield List; and (b) confirm that the entity has made a public commitment with respect to transfers from the UK. This should usually be possible simply by checking the US organisation's publicly available privacy policy.
A copy of the New Regulations is available here. The advice on the Privacy Shield website is available here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.