When the “General Data Protection Regulation” (the “GDPR”) took effect on 25 May 2018, it applied in all EU Member States, including the UK. However, since 31 January 2020, the UK has officially left the EU and has become a “third country”.
The UK is now in a transition period that is said to end on 31 December 2020 (but could be extended). During this transition period, the UK will continue to apply the GDPR and all data transfer mechanisms remain the same. But what will happen after the transition period? What impact will this have on US Privacy Shield companies and what actions need to be taken?
This article focuses on helping US Privacy Shield companies anticipate the impact of Brexit once the transition period ends (i.e. 31 December 2020 – or later if there’s an extension), guiding them towards actions that should be taken before this date.
1. Brexit and Privacy Shield companies: which actions to take for data transfers?
As per the advice published by the US Government for Privacy Shield companies (see link below in the “References” section), Privacy Shield companies seeking to receive personal data from the UK in reliance on the Privacy Shield must have taken the following steps by 31 December, 2020:
“(i) A Privacy Shield organization will have to update its public commitment to comply with the Privacy Shield to include the UK. Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield. If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy. Model language for these updates is provided below:
(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield. (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view the certification, please visit https://www.privacyshield.gov/.
An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after December 31, 2020.
(ii) Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.
The Department of Commerce encourages Privacy Shield participants who receive personal data from the United Kingdom to use the Transition Period as an opportunity to prepare any needed updates to their privacy policies. We will continue to monitor the United Kingdom’s withdrawal from the European Union and update this guidance as needed”.
Text by : https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs
2. Privacy Shield companies and the EU and/or UK Representative(s): what happens after the end of the transition period?
What happens after the transition period will depend on the result of the negotiations between the EU and the UK. The current position is that the GDPR will be implemented into UK law as the “UK GDPR”, alongside the UK Data Protection Act 2018.
Depending in which country a company is located, there are 12 different scenarios that could apply with respect to the requirement to appoint an EU and/or UK based Representative.
Please find below a table which summarizes all possible scenario’s, including specific details relating to Privacy Shield companies under scenarios 7 to 12.
If your US company has an establishment in the UK:
Scenario 7: I am a US-based company and I only sell goods/provide services in the UK or target the UK
As long as we’re in the transition period, your company only needs to appoint one Representative in the EU. In this case, the EU Representative should be in the UK. After the transition period, if you continue to only sell and/or target in the UK and not in any EU country, then the appointment of an EU Representative will not be required but you will need to appoint a UK Representative as per UK law. You can of course appoint your current EU Representative in the UK as your UK Representative (but remember to modify the appointment contract to reflect UK law).
Scenario 8: I am a US-based company and I only sell goods/provide services in the EU/EEA or target the EU/EEA (i.e. not in the UK)
Your company’s situation will not change, regardless of Brexit. The GDPR will continue to apply to all other EU Member States. Therefore, you will still need to appoint an EU Representative*.
Scenario 9: I am a US-based company and I sell goods/provide services in the UK & EU/EEA or I target the UK & EU/EEA
You will continue to fall under the scope of the GDPR. If your current EU Representative is located in the UK, this appointment will no longer be valid in the EU. You can however appoint this person/entity as your UK Representative as per UK law (but remember to modify the appointment contract to reflect UK law). You will also have to appoint an EU Representative* in one of the Member States. This means that you will have two representatives: one in the EU and one in the UK.
Scenario 10: I am a US-based company and I have an establishment in the UK
Before Brexit, you didn’t have to appoint an EU Representative because you had an establishment in the EU. Once the transition period is over, you will no longer have an establishment in the EU so you will have to appoint an EU Representative* in an EU/EEA country.
Scenario 11: I am a US-based company and I have an establishment in the EU/EEA
As a US-based company with an establishment in the EU/EEA, the obligation to appoint an EU Representative does not apply to you. However, if you sell goods/provide services in the UK or target the UK, you will have to appoint a UK Representative as per UK law.
Scenario 12: I am a US-based company and I have an establishment in the UK & EU/EEA
No action is needed. As a US-based company with an establishment in the UK and in the EU& EEA, the obligation to appoint an EU Representative or a UK Representative does not apply to you.
* Unless you’re a public authority or body or if the processing is occasional, does not include, on a large scale, processing of special categories of data or processing of personal data relating to criminal convictions and offences, and the processing is unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope and purposes of the processing.
3. How can EDPO help your US-based company?
To mitigate risks and to prepare for the obligation to appoint a Representative in the UK, EDPO has opened an office in London, in addition to its headquarters in Brussels and its offices in Paris, Dublin, Berlin and Madrid. We can therefore act as your Representative in the UK and in the EU. For clients who will need both an EU and a UK Representative and who sign up with us before the end of the transition period, we will provide UK Representative services at no additional cost.
Still don’t know if your company needs to appoint an EU Representative? Click here to take EDPO’s assessment test for more insight.
Click here to read our article on 4 of the most common mistakes made about the GDPR by Privacy Shield companies.
References
- Agreement on arrangements between Iceland, the Principality of Liechtenstein, the Kingdom of Norway and the United Kingdom of Great Britain and Northern Ireland following the withdrawal of the United Kingdom from the European Union, the EEA Agreement and other agreements applicable between the United Kingdom and the EEA EFTA States by virtue of the United Kingdom’s membership of the European Union:
- EDPB’s Information note on BCRs (Binding Corporate Rules) for companies which have ICO as BCR Lead Supervisory Authority:
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb-2019-02-12-infonote-bcrs-brexit_en.pdf
- Explainer for the agreement on arrangements between Iceland, the Principality of Liechtenstein and the Kingdom of Norway, and the United Kingdom of Great Britain and Northern Ireland, following the withdrawal of the United Kingdom from the European Union:
- ICO’s Guidance on Data Protection and Brexit:
https://ico.org.uk/for-organisations/data-protection-and-brexit/
- Privacy Shield official Government’s website on Brexit:
https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs
Follow us on Linkedin for daily breaking GDPR news!
Get our weekly newsletter in your inbox every Monday with fresh GDPR and Data Protection news!