** Updated July 2020**
The United Kingdom’s (U.K.’s) exit from the European Union (EU) – whenever it occurs – could create data privacy uncertainty on an entirely new scale. While the EU-U.S. Privacy Shield Framework currently governs U.K. personal data collection practices for U.S. businesses, it’s important to understand these rules could change any day.
So, can you continue to rely on Privacy Shield participation to support current personal data collection practices? The short answer is yes – for now. The longer answer, as you might expect, is a little more complicated…
The Future of U.K. Personal Data Collection Practices
In light of recent developments, the Brexit timeline has been pushed back to January 31, 2020 due to a mutually agreed-upon withdrawal extension period. For you, this means the next few months offer a ‘business as usual’ sign of relief. The U.K. will remain an EU member state until this date, leaving all applicable EU data collection laws in place until then.
After that, however, is when things get tricky. While both parties have preliminarily agreed to a December 31, 2020 departure date for the U.K., this resolution has not yet been formalized. In other words, this timeline is subject to change at any moment’s notice.
Should this date stand, the U.K. and EU will facilitate a transition period during which current EU law, i.e. Privacy Shield, will continue to apply to the personal data of all U.K. citizens. The European Commission’s affirmative decision on the regulation’s protections will continue to apply to your personal data collection and transfer practices. That’s good news for everyone involved, as it means no further action will be needed for any U.S. participant until 2021.
If, however, both sides fail to finalize an official agreement that upholds this departure date and transition period, your timeline accelerates. Your Privacy Shield participation will be nullified immediately after the U.K.’s earlier departure date, and your personal data collection practices will need to meet the standards outline by the U.K.’s Department of Commerce instead.
Your Privacy Shield Updates Can’t Wait
Whether you have until 2021 or not, one thing is certain – your personal data collection practices will need to change if you continue to do business with U.K. consumers. So why wait until the last minute to make them?
While the nature and scope of your data privacy requirements may be unique, all current Privacy Shield participants can make two immediate changes to ensure a smooth transition:
1. Your organization must update its public commitment to include the U.K. in its Privacy Shield commitment
2. You must maintain a current Privacy Shield certification and recertify annually as required by the current Framework
Without this commitment, you won’t be able to rely on the Privacy Shield Framework to receive personal data from the U.K. after its departure from the EU. This means cooperating and complying not only the EU Data Protection Authority panel as current requirements dictate, but the U.K.’s Information Commissioner’s Office (ICO) as well.
Regardless of whether or not you’re prepared for Brexit’s data privacy updates, this is the first of many changes your organization will need to make if it wishes to collect, store, and use personal data going forward. Enroll in AOTMP® University’s Introduction to Data Privacy Course to prepare your team for tomorrow’s data management practice today!
**Despite the Court of Justice of the European Union’s (CJEU’s) ruling that the EU-US Privacy shield is no longer a valid mechanism to comply with EU data protection requirements when transferring personal data from the EU to the US, participants have not been relieved of their obligations as dictated by the EU-US Privacy Shield Framework. The US Department of Commerce will continue to administer the program. Contact your trusted data protection authority or legal counsel for more information.