21 April 2020
Whatever your views are on the UK's decision to leave the European Union (EU), it's hard to disagree that it has caused a great deal of uncertainty. Because EU law extends to so many aspects of economic activity, there are many different ways in which Brexit might affect your business. And one area in which Brexit has the potential to substantially impact on virtually all businesses operating in the UK is data protection.
We're going to look at how Privacy Shield participants can implement these changes. But to understand what the DOC requires, you might first need a brief update on the relevant aspects of the Brexit situation.
Brexit is the process of the UK's departure from the EU.
The UK is (at the time of writing) still one of the 28 Member States of the EU, along with such countries as Germany, France, Poland, and Romania.
In June 2016, the UK held a referendum and asked whether voters wished to remain a member. The result, by a majority of just under 52 percent, was a vote to leave the EU.
In March 2017, the UK officially signaled its intention to leave the EU by invoking Article 50 of the Treaty on European Union. This started the clock ticking on the UK's departure.
The UK should have left the EU two years after invoking Article 50, i.e. the end of March 2019. However, the EU has since granted the UK an extension until October 31, 2019.
The UK has been trying to negotiate a trade deal with the EU since 2017. It hopes to be able to finish negotiations before leaving.
If the UK left the EU without a trade deal, a scenario known as "no deal Brexit," many think it would have dire implications for the UK's economy. It could also harm the economies of several EU countries who do business with the UK.
The UK executive and the EU did come to a provisional deal in 2018, known as the "Withdrawal Agreement." The Withdrawal Agreement is a lengthy document which clarifies some of how EU/UK relations could operate post-Brexit. It also leaves many questions unanswered.
UK's parliament needs to approve any exit deal before the UK side officially agrees to it. The Withdrawal Agreement has been put before Parliament several times and has been rejected each time.
This is why the Brexit process has been extended. It is hoped that the UK can settle its internal political turmoil, and come back to the table with a proposal that has been endorsed by its parliament.
The Withdrawal Agreement, in its current form, is unlikely to ever come into effect. But some aspects of the Withdrawal Agreement could remain, in whatever deal is forged between the EU and the UK (if any) by the time the Brexit deadline passes.
So, the Withdrawal Agreement could give us some idea of the nature of future arrangements.
One important part of the agreement that may survive is the "transition period" over which the UK will remain subject to EU laws. This is important for our purposes.
The transition period, as it stands in the Withdrawal Agreement, would be a period over which the UK is still subject to EU laws but also allowed to enter into trade negotiations with non-EU countries.
The end of the transition period as set out in the Withdrawal Agreement is December 31, 2020.
This date could change, but some are treating it as the date that the UK completely leaves the EU.
The political climate in the UK is highly unstable at the moment, and it's very hard to say what will happen next. However, we can consider a few possible scenarios and the implications that they might have.
"No Deal Brexit" is the most "extreme" form of Brexit. No deal would mean the UK leaving the EU without making any arrangements to continue in EU projects or trade on preferential terms with the EU.
While a no deal Brexit once seemed very unlikely, it increasingly seems like a plausible outcome. After all, if the EU and the UK can't agree on a deal before October 31, 2019, there could be a no deal Brexit by default.
It is possible that the UK will construct some sort of deal with the EU, but that it will not involve very much cooperation between the two countries.
"Hard Brexit" might see the UK leave both the single market and the customs union. However, it could continue to trade on preferential terms with the EU as a third country.
Some argue that the UK should honor the referendum decision and leave the EU, but remain party to many agreements that EU membership entails.
"Soft Brexit" could mean that the UK remains part of the European Economic Area (EEA), the larger area which includes all EU Member States plus several non-EU countries. This would mean that the UK remains subject to almost all EU laws and agreements by default, including those relating to data protection.
It is possible that the UK could offer the public another chance to vote on leaving the EU. This is known variously as a "second referendum," a "confirmatory vote," or sometimes a "People's Vote."
It isn't clear what question would be put before the UK public if another referendum were called. However, this scenario could even see the Brexit decision reversed, meaning that the UK would remain in the EU.
Right now, the UK is still subject to the EU's laws. One of these EU laws is the General Data Protection Regulation (GDPR).
The UK has its own version of the GDPR, the Data Protection Act 2018. This brings the GDPR onto UK statute books, and there are no plans to repeal this law post-Brexit.
The GDPR has special rules about the transferring of personal data out of the EU. This is very important for non-EU companies who transfer personal data out of the EU, for example to servers hosted abroad.
The GDPR sets out several grounds on which international data transfers can take place. For example:
The changes we're looking at in this article relate to point 2 and concern Privacy Shield participants.
US companies who are certified under the Privacy Shield framework can send or receive personal data out of the EU without any additional restrictions, much like companies in countries who have received an adequacy decision.
But what happens to Privacy Shield after the UK leaves the EU?
As is clear from the various Brexit scenarios set out above, it's not clear what the UK's legal situation will be in the coming years. When the UK becomes a non-EU country, it may be required to obtain an adequacy decision from the European Commission.
After Brexit, the UK may no longer even be a part of the Privacy Shield framework. This would mean that companies who wish to transfer personal data out of the UK might have to comply with a different set of rules.
These changes have been mandated by the US Department of Commerce (DOC) via its Privacy Shield and the UK FAQs.
Currently, Privacy Shield participants must make reference to their Privacy Shield certification in their Privacy Policies. Here's an example from GlobeTax:
The DOC requires a minor but very important amendment to the Privacy Policies of Privacy Shield participants. This amendment is designed to reflect the potential distinction between the EU and the UK as separate jurisdictions post-Brexit.
In its FAQ (linked above) the DOC provides "model language" for such amendments below:
The key difference in the amended Privacy Shield statement is that "the European Union" has changed to "the European Union and the United Kingdom."
The DOC requires that those companies relying on Privacy Shield participation to transfer Human Resources data should also update their HR policies to include language similar to that above.
Other than that, the DOC simply suggests that participants continue to maintain their Privacy Shield certification by recertifying annually in the normal way.
Nobody knows for sure how Brexit will turn out. But you'll want to do everything you can to prepare.
Where you mention "the European Union" in your policies, simply change the wording to "the European Union and the United Kingdom."