On December 20, 2018, the Department of Commerce updated its frequently asked questions (“FAQs”) on the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (collectively, the “Privacy Shield”) to clarify the effect of the UK’s planned withdrawal from the EU on March 29, 2019. The FAQs provide information on the steps Privacy Shield participants must take to receive personal data from the UK in reliance on the Privacy Shield after Brexit.
The deadline for implementing the steps identified in the FAQs depends on whether the UK and EU are able to finalize an agreement for the UK’s withdrawal from the EU. To the extent the UK and EU reach an agreement regarding withdrawal, thereby implementing a Transition Period in which EU data protection law will continue to apply to the UK, Privacy Shield participants will have until December 31, 2020, to implement the relevant changes to their public-facing Privacy Shield commitments described in the FAQs and below. To the extent no such agreement is reached, participants must implement the changes by March 29, 2019.
According to the FAQs, a Privacy Shield participant who would like to continue to receive personal data from the UK following the relevant deadline (as described above) must update any language regarding its public commitment to comply with the Privacy Shield to include an affirmative statement that its commitment under the Privacy Shield will extend to personal data received from the UK in reliance on the Privacy Shield. In addition, Privacy Shield participants who plan to receive Human Resources (“HR”) data from the UK in reliance on the Privacy Shield must also update their HR Privacy Policies. The FAQs further state that if a Privacy Shield participant opts to make such public commitments to continue receiving UK personal data in reliance on the Privacy Shield, the participant will be required to cooperate and comply with the UK Information Commissioner’s Office with regard to any such personal data received.