The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) (No. 2) Regulations 2019 (the “Regulations”), concerning the transfer of personal data from the UK to the US under the Privacy Shield in a no-deal Brexit situation, were adopted on 29 March 2019 and will apply on the UK’s exit from the EU.
International transfers of data under the GDPR
Under the General Data Protection Regulation (the “GDPR”), personal data may only be transferred outside the EEA or to an international organisation if certain derogations apply, or if the European Commission (the “Commission”) has determined:
- that the country offers ‘adequate’ protection for individuals; or
- the controller or processer has provided appropriate safeguards in accordance with the GDPR (for example, by entering into a legally binding agreement, binding appropriate rules or standard data protection clauses).
Transferring Personal Data from the EU to the US
The Commission has not made an adequacy decision in respect of the US. However in 2000, the European Commission and the US government established the ‘safe harbour’ framework as a method to provide adequate protection for transfers of personal data from the EU to the US. Following a decision by the Court of the European Union in 2015, safe harbour was invalidated. The Commission then adopted a new adequacy framework in relation to transfers of data to the US known as the EU-US Privacy Shield (the “Privacy Shield”).
Transfers of data from the UK to the US post-Brexit
The UK Parliament has enacted legislation that is intended to retain certain provisions of the GDPR in domestic law following the UK’s withdrawal from the EU and adopt key decisions of the EU institutions that would allow data transfers post-Brexit that are currently permitted under EU law.
This means therefore that companies in the UK transferring data to the US should consider whether the companies in the US to which they transfer personal data have updated their privacy notice as required by the new Regulations.