Privacy Shield participants must update their privacy notices by March 29, 2019 (if the UK crashes out of the EU then with no deal) to continue to rely on the Privacy Shield for UK to US transfers post-Brexit. Privacy Shield certification is available to US companies as a lawful mechanism to transfer personal data from the EU (and soon to be the EU and the UK) to the US as well as from Switzerland to the US (if companies register with both Privacy Shield Frameworks).
There is urgency to this task. With about ten days to go, affected US companies should to include required language in their privacy policies to beat the deadline. Companies relying on the Privacy Shield for non-human resources (HR) data only need to update their online privacy policies. Companies that also rely on Privacy Shield for HR data must also update those employee notices (if customer and employee notices are separate).
The US Department of Commerce provided model language to be added to applicable privacy notices on the Privacy Shield website available on its FAQ page: https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs .
After the Brexit date, companies that selected the EU Data Protection Authority as the independent recourse mechanism will be understood to have committed to cooperate and comply with UK’s Information Commissioner’s Office with regard to personal data received from the UK in reliance on Privacy Shield.
If you have any questions about the information in this alert or other questions related to privacy and data protection post-Brexit, then please contact the authors.