The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) (No. 2) Regulations 2019 (the “Regulations”), concerning the transfer of personal data from the UK to the US under the Privacy Shield in a no-deal Brexit situation, were adopted on 29 March 2019 and will apply on the UK’s exit from the EU.
International transfers of data under the GDPR
Under the General Data Protection Regulation (the “GDPR”), personal data may only be transferred outside the EEA or to an international organisation if certain derogations apply, or if the European Commission (the “Commission”) has determined:
- that the country offers ‘adequate’ protection for individuals; or
- the controller or processer has provided appropriate safeguards in accordance with the GDPR (for example, by entering into a legally binding agreement, binding appropriate rules or standard data protection clauses).
Transferring Personal Data from the EU to the US
The Commission has not made an adequacy decision in respect of the US. However in 2000, the European Commission and the US government established the ‘safe harbour’ framework as a method to provide adequate protection for transfers of personal data from the EU to the US. Following a decision by the Court of the European Union in 2015, safe harbour was invalidated. The Commission then adopted a new adequacy framework in relation to transfers of data to the US known as the EU-US Privacy Shield (the “Privacy Shield”).
This means companies in the UK may lawfully transfer personal data to companies in the US in certain cases provided that those US entities are signed up to the Privacy Shield list maintained by the US Department of Commerce. In order to be added to the list, a US company must commit to comply with Privacy Shield and must have a privacy policy complying with certain principles relating to the protection of personal data.
Transfers of data from the UK to the US post-Brexit
The UK Parliament has enacted legislation that is intended to retain certain provisions of the GDPR in domestic law following the UK’s withdrawal from the EU and adopt key decisions of the EU institutions that would allow data transfers post-Brexit that are currently permitted under EU law.
As such, the Regulations are intended to allow UK companies to continue to transfer data to the US in accordance with Privacy Shield following the UK’s exit from the EU. However, there is a new requirement that will need action as the US-based entity must include in its privacy policy a commitment to comply with the Privacy Shield principles in relation to personal data transferred from the UK.
Action point
This means therefore that companies in the UK transferring data to the US should consider whether the companies in the US to which they transfer personal data have updated their privacy notice as required by the new Regulations.
Beverley Flynn