Privacy Shield and the UK: An Important and Time Sensitive Update

The United Kingdom (UK) has notified the European Union (EU) of its intention to withdraw from the European Union on March 29, 2019.  In order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework (“Privacy Shield” or “the Framework”), Privacy Shield participants must update their Privacy Shield commitments by the Applicable Date.

An update from the Privacy Shield Program as published by the International Trade Administration

Can a Privacy Shield participant rely on the EU-U.S. Privacy Shield Framework to receive personal data from the United Kingdom in light of the UK’s planned withdrawal from the EU?

The United Kingdom (UK) has notified the European Union (EU) of its intention to withdraw from the European Union on March 29, 2019.  In order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework (“Privacy Shield” or “the Framework”), Privacy Shield participants must update their Privacy Shield commitments by the Applicable Date, as explained below, depending on how the UK and the EU implement the withdrawal.

Scenario (1) “Transition  Period”: The UK and EU have preliminarily agreed that from March 30, 2019 until December 31, 2020, a Transition Period will take place during which EU law, including EU data protection law, will continue to apply to and in the UK. During the Transition Period, the European Commission’s decision on the adequacy of the protection provided by Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants.  During the Transition Period, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.

Privacy Shield participants seeking to receive personal data from the UK in reliance on the Privacy Shield after the end of the Transition Period must take the steps below by the Applicable Date of December 31, 2020. The Department of Commerce encourages Privacy Shield participants to use the Transition Period as an opportunity to update their privacy policies.

Scenario (2) “No Transition Period”: In the event that the UK and the EU do not finalize an agreement on the Transition Period, Privacy Shield participants receiving personal data from the UK in reliance on the Privacy Shield must take the steps below by the Applicable Date of March 29, 2019.

Updates by the Applicable Date:

To receive personal data from the UK in reliance on Privacy Shield in the case of no Transition Period, or after the Transition Period, a Privacy Shield participant will be required to adhere to the following:

1.    First, a Privacy Shield organization must update its public commitment to comply with the Privacy Shield to include the UK.  Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield.  If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy.  Model language for these updates is provided below:


(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.


2.    Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.

An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after the Applicable Date (either March 29, 2019 if there is no Transition Period or December 31, 2020, at the end of the Transition Period).

After the Applicable Date, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.

Additional Reading:

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights data and legal discovery insight and intelligence ranging from original research to aggregated news for use by business, information technology, and legal professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of data and legal discovery organizations. Registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world, ComplexDiscovery OÜ operates virtually worldwide to deliver marketing consulting and services.

A (Brand) New Approach? Considering the Framework and Structure of eDiscovery Offerings

Today’s eDiscovery providers may benefit from the lessons learned in the creation of the Sgt. Pepper’s Lonely Hearts Club Band album by creating a concept for branding and packaging their offerings within that brand in a connected, theme-based way that represents the offerings’ promise and capability in a way that is easy to understand and remember.

This fictionalized branding approach was developed from the intellectual exercise of trying to figure out a reasonable and memorable way to descriptively highlight the promise and capabilities of offerings typically delivered by full-service eDiscovery providers. It may not be completely comprehensive or fully normalized. However, the hope of sharing this branding example is that it might help those involved in the branding and communication of eDiscovery provider services and solutions.

eDiscovery Mergers, Acquisitions, and Investments in 2020

Since beginning to track the number of publicly highlighted merger, acquisition,...

Relativity Acquires VerQu

According to Relativity CEO Mike Gamson, "It's imperative that the legal...

eDiscovery Mergers, Acquisitions, and Investments in Q4 2020

From Nuix and DISCO to Exterro and AccessData, the following findings,...

DISCO Closes Funding Round of $100 Million

According to DISCO CEO Kiwi Camara, “Legaltech is booming now, and...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Five Great Reads on eDiscovery for December 2020

May the peace and joy of the holiday season be with...

Five Great Reads on eDiscovery for November 2020

From market sizing and cyber law to industry investments and customer...

Five Great Reads on eDiscovery for October 2020

From business confidence and captive ALSPs to digital republics and mass...

Five Great Reads on eDiscovery for September 2020

From cloud forensics and cyber defense to social media and surveys,...

It’s a Match! Focusing on the Total Cost of eDiscovery Review with ReviewRight Match

As a leader in remote legal document review, HaystackID provides clients...

From Proactive Detection to Data Breach Reviews: Sensitive Data Discovery and Extraction with Ascema

A steady rise in the number of sensitive data discovery requirements...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

A Lifting of the Fog? Winter 2021 eDiscovery Business Confidence Survey Results

This is the twenty-first quarterly eDiscovery Business Confidence Survey conducted by...

Orion Nebula
A Nebulous Outcome? The Winter 2021 eDiscovery Business Confidence Survey

The eDiscovery Business Confidence Survey is a nonscientific quarterly survey designed...

High Five? An Aggregate Overview of Five Semi-Annual eDiscovery Pricing Surveys

As we are in the midst of a pandemic that has...

Balancing Relevance and Reality? Winter 2021 eDiscovery Pricing Survey Results

Based on the complexity of data and legal discovery, it is...