What Does a “No Deal Brexit” Mean For Personal Data Transfers From the UK to the U.S.?
The looming March 29, 2019, Brexit deadline could arrive with no agreement for transitioning the withdrawal of the United Kingdom from the European Union (EU). If that happens, United States-based companies exporting personal data of UK residents to the U.S. will need to evaluate whether the mechanism they employ to comply with the General Data Protection Regulation’s (GDPR) cross border data transfer requirements are suitable for compliance with UK data privacy law. Since the effect of Brexit makes the UK a “third country” under the GDPR, any data transfers from the UK to the U.S. will be governed by UK data privacy law, not by the GDPR.
Currently, Article 46 (and in limited number of specific situations, Article 49) of the GDPR offers U.S. companies several options for lawful cross border data transfers to the States. Since the U.S. has not received an adequacy decision from the European Commission, use of standard contractual clauses (SCCs), binding corporate rules or the EU-U.S. Privacy Shield framework are the data transfer solutions most frequently employed by U.S. companies to lawfully transfer personal data to the U.S. EU personal data to the U.S. Will those same solutions also be available under UK data protection laws?
As the Brexit talks progressed, it had been anticipated that the agreement would include an adequacy decision for the UK. As a member of the EU, the UK data protection laws certainly meet or exceed the GDPR requirements. The UK’s data protection authority, the Information Commissioner’s Office (ICO), published a comprehensive official GDPR guidance on its website which includes an abundance of materials to assist companies with their compliance efforts. Additionally, the UK has pending a draft Data Protection, Privacy and Electronic Communications (Amendment etc) (EU Exit) Regulations 2019. These Regulations would consolidate and amend the EU GDPR and the UK DPA 2018 to create a new UK GDPR. The GDPR responsibilities of controllers and processors sitting in the UK would not change. The difference is the ICO DPA will no longer have a seat on the European Data Protection Board.
Thus, the requirements under the GDPR, in particular as they relate to the cross-border transfer of UK residents’ personal data from the UK to the U.S. will not change. The UK government has said it will continue to recognize the effect of SCCs entered into before Brexit. The ICO has also stated that it will continue to recognize binding corporate rules it had approved prior to the Brexit deadline. And companies certified under the EU-U.S. Privacy Shield Framework may continue to transfer UK personal data to the U.S. The ICO Commissioner has included a provision preserving the availability of the Privacy Shield for UK personal data flows to the U.S. Further, the U.S. Department of Commerce, which administers the Privacy Shield, has included guidance for certified businesses in its Brexit FAQs. To take advantage of this protection, Privacy Shield-certified companies will need to expressly state in their Privacy Shield Policies their commitment to applying the Privacy Shield Principles to UK personal data as well as GDPR personal data. They will also need to make this commitment clear in their Human Resources (HR) privacy policies if importing HR data from the UK. The deadline for meeting this requirement depends on a potential Brexit deal approved. If such a deal is approved, there will be a transition period, with a compliance deadline of December 31, 2020. If the result is a “No Deal Brexit”, the compliance deadline is March 29, 2019.
- A U.S. company relying upon the Privacy Shield for transfer of UK personal data to the U.S. should prepare to amend the Privacy Shield Policy posted on its website as instructed in the Department of Commerce Brexit FAQs by March 29, 2019, in the event there is no deal reached for Brexit. The DOC makes clear that failure to do so means the Privacy Shield is not available as protection for transfer of UK personal data to the U.S., and such transfer would be in violation of the GDPR.