Editor's note: Please note that the Privacy Shield framework has been invalidated. It is being replaced with the EU-U.S. Data Privacy Framework, which is not fully finalized yet.
The passing of Brexit by the United Kingdom in 2016 has long-reaching effects. While you may think Brexit does not affect your company or how you do business with the UK and the European Union, recent changes will require you to update your policies to comply with the post-Brexit world.
With an update to the U.S. Department of Commerce's Privacy Shield FAQ page, companies who originally fell under the EU-U.S. Privacy Shield and who are looking to join are going to have to make changes to their Privacy Agreements by the applicable date that the UK plans to leave the EU. However, there is some uncertainty about what date companies need to plan for.
Below is an analysis of how Brexit affects your Privacy Shield agreement and what your company needs to do to still comply with the Privacy Shield if you wish to retain or have access to their benefits.
- Answer a few questions about your business:
- Enter the country and click on the "Next Step" button:
What is Brexit and Who Does it Affect?
The actual term Brexit is the combination of the two words "Britain" and "exit." The slang term is supposed to represent Britain leaving the European Union.
Britain has been debating leaving the European Union for years. Issues such as immigration and trade have become one of the focal points for the discussion of whether to leave the EU. After much deliberation, a national referendum to leave the EU was put to the residents of the UK on June 23, 2016, with the referendum being passed with 51.9% of the population.
With the passing of the referendum, this meant that the UK would no longer be part of the EU trade system, industries and the country's revenue would be affected, and individuals will not be able to freely move in between Europe and the UK as they did once before.
Brexit will likely also affect the price of goods coming in and out of the UK, travel safety, delays at airports and ports, and even cell phone carriers. Additionally, citizens in the EU and the U.S. will feel this change.
The reaches of Brexit even extend as far as companies and their Privacy Policies as the UK was subject to EU data protection laws and the EU-U.S. Privacy Shield.
What is the Timeline for the UK to Leave the EU?
This has been a floating and ever changing deadline since the referendum was passed back in 2016. Once Brexit was decided, a deadline was given for the UK's departure from the EU. Originally, that date was set for March 29, 2019, by the UK under Article 50 of the Lisbon Treaty which would be the end of a two-year process to departure.
However, that date has passed and never came to fruition as the proposed withdrawal agreement between the UK and the EU was rejected multiple times and the date was pushed back to April 12, 2019.
Now another deadline has been selected. Although, this deadline may not be used either, as a proposed agreement has not been decided on and there are two types of Brexit departures the UK may follow: a hard departure and a soft departure.
"Hard" Deadline or Departure
The British Prime Minister and the EU leaders have now decided on a longer delay and pushing the date into the fall of 2019. The "hard" deadline is now October 31, 2019. This is the current date that the UK will leave the EU and all of the new changes will take effect at that point.
A "hard" Brexit departure would also mean that there is no leeway and the UK will completely cut itself off from the EU. The UK would be dealing with the EU in the same way that other countries such as the U.S. or Japan would in trade, immigration, and travel.
Even though this is the final date, the EU may still leave earlier if a new departure agreement is accepted by both sides.
"Soft" Deadline or Departure
However, as the past changing dates have showed us, there may be some wiggle room. If the withdrawal agreement being proposed includes a "soft" departure this means that the UK will still retain close connections in certain areas with the EU under a transition period.
This proposed agreement would help decrease any issues in trade, businesses, and EU standards. This type of departure would mean the residents of the UK are still subject to EU laws, even if they are no longer able to vote on them.
The projected "soft" deadline under the proposed agreement would be December 31, 2020. This "soft" transition period would allow a smoother and gentler adjustment to the new way of things.
Even though the date of Brexit has changed multiple times, companies should still prepare for the acceptance of the withdrawal agreement and have their Privacy Policies updated.
By the U.S. joining the Privacy Shield, it was able to access and benefit from perks of doing business in the EU. However, by joining these shields, companies also would have to follow the required "adequacy determinations" as well.
If your company wants to have access to possible benefits by partaking in this shield, you also have to follow their rules. While certification under the shield is voluntary, you must comply with its standards. If your company makes the public declaration that it's part of the Shield, then it must follow the determinations and any false statements or attempts at disfrauding will fall under U.S. law.
The U.S. Department of Commerce updated its Privacy Shield FAQ section in 2019 to reflect what impacts the passing of Brexit would have on the Privacy Shield.
In the updated version of the FAQ Page, it's stated that companies that are part of the Privacy Shield must update their privacy requirements no matter the outcome is decided on, whether it is "hard" or "soft" scenarios.
"Soft" Brexit or "Transition Period"
As mentioned earlier, one of the possibilities of the UK leaving the EU is that there will be a transition period where companies are given the chance to update their laws and a smoother transition.
During this transition period, the EU's original data protection requirements will continue to apply to data that is transferred from the UK to Privacy Shield members. If this withdrawal proposal is accepted, members of the shield will not have to take any further action to protect as their membership of the Framework will be deemed to automatically include data from the UK.
"Hard" Brexit or "No Transition Period"
If the proposed agreement is based on a hard or no transition period withdrawal, companies must take the following appropriate action by the "Applicable Date."
Note, this also applies if there is a Transition Period and you are a company who is not already under the Privacy Shield and wishes to join.
While this is one possibility and a soft Brexit may occur, it's recommended that you make any changes by the Applicable Date of October 31, 2019, to make sure your company complies.
First, a Privacy Shield member must update its "public commitment" to include the UK. This means in addition to saying your company complies with the EU Privacy Shield, you must also explicitly state the protection also includes the UK.
Amazon's UK version includes a Privacy Shield section in its Privacy Notice that includes the UK separated from the EU to demonstrate this commitment:
The FAQ page does include model language to follow if you need to update your public commitment or are planning to become a member of the Privacy Shield. The most important update you'll notice is that the language adds "and the United Kingdom" to extend the protection to data from the UK:
Second, companies that are already members of the Privacy Shield must maintain their certification. The Framework decided by the EU requires that its members update the certification annually.
If your company does not follow these appropriate steps by the Applicable Date, then you will not be seen as falling under the Privacy Shield Framework. However, if you do all of these steps by the Applicable Date your company will be seen as cooperating with the Framework.
Brexit's effect can be felt throughout Europe, the UK, and the United States. This is especially true when it comes to the transfer of personal data between the countries. With this updated change to the EU-U.S. Privacy Shield FAQ Page, companies will have to update their Privacy Policies to comply.
Companies should plan to make changes by the hard Applicable Date of October 31, 2019 to comply with the new updates, even if a soft Brexit date of December 31, 2020, is approved by the EU and the UK.
Making these simple changes will keep you qualified under the EU-US Privacy Shield Framework:
- Including "and the United Kingdom"
- Updating your certification