Privacy Policy For Brexit

Editor's Note: Because Brexit occurred some time in the past, some content in this article is no longer valid, such as the invalidation of the Privacy Shield framework.

Whatever your views are on the UK's decision to leave the European Union (EU), it's hard to disagree that it has caused a great deal of uncertainty. Because EU law extends to so many aspects of economic activity, there are many different ways in which Brexit might affect your business. And one area in which Brexit has the potential to substantially impact on virtually all businesses operating in the UK is data protection.

This article will break down how Brexit may affect your business Privacy Policy.

What is Brexit?

Brexit is the process of the UK's departure from the EU.

The UK is (at the time of writing) still one of the 28 Member States of the EU, along with such countries as Germany, France, Poland, and Romania.

In June 2016, the UK held a referendum and asked whether voters wished to remain a member. The result, by a majority of just under 52 percent, was a vote to leave the EU.

In March 2017, the UK officially signaled its intention to leave the EU by invoking Article 50 of the Treaty on European Union. This started the clock ticking on the UK's departure.

The UK should have left the EU two years after invoking Article 50, i.e. the end of March 2019. However, the EU has since granted the UK an extension until October 31, 2019.

Why Hasn't the UK Left the EU Yet?

The UK has been trying to negotiate a trade deal with the EU since 2017. It hopes to be able to finish negotiations before leaving.

If the UK left the EU without a trade deal, a scenario known as "no deal Brexit," many think it would have dire implications for the UK's economy. It could also harm the economies of several EU countries who do business with the UK.

The UK executive and the EU did come to a provisional deal in 2018, known as the "Withdrawal Agreement." The Withdrawal Agreement is a lengthy document which clarifies some of how EU/UK relations could operate post-Brexit. It also leaves many questions unanswered.

UK's parliament needs to approve any exit deal before the UK side officially agrees to it. The Withdrawal Agreement has been put before Parliament several times and has been rejected each time.

This is why the Brexit process has been extended. It is hoped that the UK can settle its internal political turmoil, and come back to the table with a proposal that has been endorsed by its parliament.

Is the Withdrawal Agreement Final?

The Withdrawal Agreement, in its current form, is unlikely to ever come into effect. But some aspects of the Withdrawal Agreement could remain, in whatever deal is forged between the EU and the UK (if any) by the time the Brexit deadline passes.

So, the Withdrawal Agreement could give us some idea of the nature of future arrangements.

One important part of the agreement that may survive is the "transition period" over which the UK will remain subject to EU laws. This is important for our purposes.

What is the Transition Period?

The transition period, as it stands in the Withdrawal Agreement, would be a period over which the UK is still subject to EU laws but also allowed to enter into trade negotiations with non-EU countries.

The end of the transition period as set out in the Withdrawal Agreement is December 31, 2020.

This date could change, but some are treating it as the date that the UK completely leaves the EU.

Possible Outcomes of Brexit

The political climate in the UK is highly unstable at the moment, and it's very hard to say what will happen next. However, we can consider a few possible scenarios and the implications that they might have.

No Deal Brexit

"No Deal Brexit" is the most "extreme" form of Brexit. No deal would mean the UK leaving the EU without making any arrangements to continue in EU projects or trade on preferential terms with the EU.

While a no deal Brexit once seemed very unlikely, it increasingly seems like a plausible outcome. After all, if the EU and the UK can't agree on a deal before October 31, 2019, there could be a no deal Brexit by default.

Hard Brexit

It is possible that the UK will construct some sort of deal with the EU, but that it will not involve very much cooperation between the two countries.

"Hard Brexit" might see the UK leave both the single market and the customs union. However, it could continue to trade on preferential terms with the EU as a third country.

Soft Brexit

Some argue that the UK should honor the referendum decision and leave the EU, but remain party to many agreements that EU membership entails.

"Soft Brexit" could mean that the UK remains part of the European Economic Area (EEA), the larger area which includes all EU Member States plus several non-EU countries. This would mean that the UK remains subject to almost all EU laws and agreements by default, including those relating to data protection.

Second Referendum

It is possible that the UK could offer the public another chance to vote on leaving the EU. This is known variously as a "second referendum," a "confirmatory vote," or sometimes a "People's Vote."

It isn't clear what question would be put before the UK public if another referendum were called. However, this scenario could even see the Brexit decision reversed, meaning that the UK would remain in the EU.

Implications for Your Privacy Policy

Right now, the UK is still subject to the EU's laws. One of these EU laws is the General Data Protection Regulation (GDPR).

The GDPR provides rules around privacy and data protection, including the requirement for any company operating in the EU (whether it's European or not) to have a Privacy Policy. The GDPR also dictates what information your Privacy Policy must contain.

The UK has its own version of the GDPR, the Data Protection Act 2018. This brings the GDPR onto UK statute books, and there are no plans to repeal this law post-Brexit.

However, there is a small but important update that you may have to make to your Privacy Policy even at this stage of the Brexit process. This has to do with international data transfers.

Data Transfer Rules

The GDPR has special rules about the transferring of personal data out of the EU. This is very important for non-EU companies who transfer personal data out of the EU, for example to servers hosted abroad.

The GDPR sets out several grounds on which international data transfers can take place. For example:

1. The recipient company is based in a country that has received an "adequacy decision" from the European Commission. These countries' data protection standards are sufficiently high that personal data transfers are permitted without any restrictions. Such countries include Canada, New Zealand and Uruguay
2. The recipient company is based in the United States or Switzerland and is a participant in the EU-US or EU-Swiss Privacy Shield certification framework
3. The transfer is taking place under a contract containing standard data protection clauses written by the European Commission
4. The transfer is taking place within a multinational company and is subject to binding corporate rules
5. As a last resort, the transfer is taking place subject to the data subject's consent

The changes we're looking at in this article relate to point 2 and concern Privacy Shield participants.

Implications for Privacy Shield Participants

Note: The Privacy Shield Framework used to be an acceptable method for transfers of data. However, it was invalidated and has been replaced by the EU-U.S. Data Privacy Framework.

U.S. companies who are certified under the Privacy Shield framework can send or receive personal data out of the EU without any additional restrictions, much like companies in countries who have received an adequacy decision.

But what happens to Privacy Shield after the UK leaves the EU?

As is clear from the various Brexit scenarios set out above, it's not clear what the UK's legal situation will be in the coming years. When the UK becomes a non-EU country, it may be required to obtain an adequacy decision from the European Commission.

After Brexit, the UK may no longer even be a part of the Privacy Shield framework. This would mean that companies who wish to transfer personal data out of the UK might have to comply with a different set of rules.

Changes to Privacy Policies

If your company is part of the EU-US Privacy Shield framework, there's a step that you should take before the day on which Brexit actually takes place. You'll need to make certain changes to your Privacy Policy to reflect the UK's changing status.

These changes have been mandated by the US Department of Commerce (DOC) via its Privacy Shield and the UK FAQs.

Currently, Privacy Shield participants must make reference to their Privacy Shield certification in their Privacy Policies. Here's an example from GlobeTax:

The DOC requires a minor but very important amendment to the Privacy Policies of Privacy Shield participants. This amendment is designed to reflect the potential distinction between the EU and the UK as separate jurisdictions post-Brexit.

In its FAQ (linked above) the DOC provides "model language" for such amendments below:

(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield. (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.

The key difference in the amended Privacy Shield statement is that "the European Union" has changed to "the European Union and the United Kingdom."

When Should I Make This Change?

According to the DOC, you need to implement this change to your Privacy Policy either:

1. Before the end of the transition period. The DOC takes this date from the Withdrawal Agreement, i.e. December 31, 2020
2. Before the end of any other transitional period, or any other date on which the UK leaves the EU. This could be as soon as October 31, 2019, in the event of a "no deal" Brexit or some other form of "hard" Brexit. Or if a different transition period is agreed under a new Withdrawal Agreement, it will be at the end of this period

The first scenario assumes that the transition period part of the Withdrawal Agreement survives any further negotiations. The second scenario implies that you should make such changes to your Privacy Policy as soon as possible.

Is There Anything Else Privacy Shield Participants Should Do?

The DOC requires that those companies relying on Privacy Shield participation to transfer Human Resources data should also update their HR policies to include language similar to that above.

Other than that, the DOC simply suggests that participants continue to maintain their Privacy Shield certification by recertifying annually in the normal way.

Summary

Nobody knows for sure how Brexit will turn out. But you'll want to do everything you can to prepare.

If you're a EU-US Privacy Shield participant, you must change the language of your Privacy Policy (and HR Policy, if applicable) to reflect the new political situation.

Where you mention "the European Union" in your policies, simply change the wording to "the European Union and the United Kingdom."