Privacy Shield and the UK: An Important and Time Sensitive Update

The United Kingdom (UK) has notified the European Union (EU) of its intention to withdraw from the European Union on March 29, 2019.  In order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework (“Privacy Shield” or “the Framework”), Privacy Shield participants must update their Privacy Shield commitments by the Applicable Date.

An update from the Privacy Shield Program as published by the International Trade Administration

Can a Privacy Shield participant rely on the EU-U.S. Privacy Shield Framework to receive personal data from the United Kingdom in light of the UK’s planned withdrawal from the EU?

The United Kingdom (UK) has notified the European Union (EU) of its intention to withdraw from the European Union on March 29, 2019.  In order to receive personal data from the UK in reliance on the EU-U.S. Privacy Shield Framework (“Privacy Shield” or “the Framework”), Privacy Shield participants must update their Privacy Shield commitments by the Applicable Date, as explained below, depending on how the UK and the EU implement the withdrawal.

Scenario (1) “Transition  Period”: The UK and EU have preliminarily agreed that from March 30, 2019 until December 31, 2020, a Transition Period will take place during which EU law, including EU data protection law, will continue to apply to and in the UK. During the Transition Period, the European Commission’s decision on the adequacy of the protection provided by Privacy Shield will continue to apply to transfers of personal data from the UK to Privacy Shield participants.  During the Transition Period, the United States will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no additional action on the part of a participant required.

Privacy Shield participants seeking to receive personal data from the UK in reliance on the Privacy Shield after the end of the Transition Period must take the steps below by the Applicable Date of December 31, 2020. The Department of Commerce encourages Privacy Shield participants to use the Transition Period as an opportunity to update their privacy policies.

Scenario (2) “No Transition Period”: In the event that the UK and the EU do not finalize an agreement on the Transition Period, Privacy Shield participants receiving personal data from the UK in reliance on the Privacy Shield must take the steps below by the Applicable Date of March 29, 2019.

Updates by the Applicable Date:

To receive personal data from the UK in reliance on Privacy Shield in the case of no Transition Period, or after the Transition Period, a Privacy Shield participant will be required to adhere to the following:

1.    First, a Privacy Shield organization must update its public commitment to comply with the Privacy Shield to include the UK.  Public commitments must state specifically that the commitment extends to personal data received from the UK in reliance on Privacy Shield.  If an organization plans to receive Human Resources (HR) data from the UK in reliance on Privacy Shield, it must also update its HR privacy policy.  Model language for these updates is provided below:


(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield.  (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.


2.    Second, organizations must maintain a current Privacy Shield certification, recertifying annually as required by the Framework.

An organization that does not modify its commitment as directed above will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after the Applicable Date (either March 29, 2019 if there is no Transition Period or December 31, 2020, at the end of the Transition Period).

After the Applicable Date, an organization that has publicly committed to comply with Privacy Shield with regard to personal data received from the UK and that has committed to cooperate and comply with the EU Data Protection Authority panel under the Framework will be understood to have committed to cooperate and comply with the UK Information Commissioner’s Office (ICO) with regard to personal data received from the UK in reliance on Privacy Shield.

Additional Reading:

Source: ComplexDiscovery

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

The results of the recent Summer 2020 eDiscovery Business Confidence Survey present the unfortunate and continuing impact of COVID-19 on the business of eDiscovery. However, for these pandemic-driven results to be fully understood, they should be viewed through the contextual lens of the results of all nineteen surveys that have been administered to eDiscovery professionals since the inception of the eDiscovery Business Confidence Survey in early 2016.



Check Out the Observations Now!

ComplexDiscovery combines original industry research with curated expert articles to create an informational resource that helps legal, business, and information technology professionals better understand the business and practice of data discovery and legal discovery.

All contributions are invested to support the development and distribution of ComplexDiscovery content. Contributors can make as many article contributions as they like, but will not be asked to register and pay until their contribution reaches $5.

Mitratech Acquires Tracker Corp

The acquisition supports Mitratech’s mission to provide legal and compliance solutions...

A Window into Malware? The New Malware Reverse Engineering Handbook from CCDCOE

According to Wikipedia, malware analysis is the study or process of...

Much Ado About Something? The Hype Cycle for Legal and Compliance Technologies (2020)

The information and insight highlighted by Marko Sillanpaa of Gartner in...

You Want Answers? EDPB FAQ on CJEU Schrems II Decision

Following the recent judgment of the Court of Justice of the...

A Running List: Top 100+ eDiscovery Providers

Based on a compilation of research from analyst firms and industry...

The eDisclosure Systems Buyers Guide – 2020 Edition (Andrew Haslam)

Authored by industry expert Andrew Haslam, the eDisclosure Buyers Guide continues...

The Race to the Starting Line? Recent Secure Remote Review Announcements

Not all secure remote review offerings are equal as the apparent...

Enabling Remote eDiscovery? A Snapshot of DaaS

Desktop as a Service (DaaS) providers are becoming important contributors to...

Home or Away? New eDiscovery Collection Market Sizing and Pricing Considerations

One of the key home (onsite) or away (remote) decisions that...

Revisions and Decisions? New Considerations for eDiscovery Secure Remote Reviews

One of the key revision and decision areas that business, legal,...

A Macro Look at Past and Projected eDiscovery Market Size from 2012 to 2024

From a macro look at past estimations of eDiscovery market size...

An eDiscovery Market Size Mashup: 2019-2024 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Business as Unusual? Eighteen Observations on eDiscovery Business Confidence in the Summer of 2020

Based on the aggregate results of nineteen past eDiscovery Business Confidence...

A Growing Concern? Budgetary Constraints and the Business of eDiscovery

In the summer of 2020, 56% of respondents viewed budgetary constraints...

A Change in Tempo? eDiscovery Operational Metrics in the Summer of 2020

In the summer of 2020, 91 eDiscovery Business Confidence Survey participants...

Shifting Gears? eDiscovery Business Confidence Survey Results – Summer 2020

This is the nineteenth quarterly eDiscovery Business Confidence Survey conducted by...

Mitratech Acquires Tracker Corp

The acquisition supports Mitratech’s mission to provide legal and compliance solutions...

XDD Acquires LightSpeed Legal

According to David Moran, XDD President, and COO, “As we continue...

XDD Acquires RVM

According to XDD CEO Bob Polus, “Merging forces with RVM further...

Ipro Acquires NetGovern

According to Dean Brown, CEO at Ipro Tech, “We are thrilled...

Five Great Reads on eDiscovery for July 2020

From business confidence and operational metrics to data protection and privacy...

Five Great Reads on eDiscovery for June 2020

From collection market size updates to cloud outsourcing guidelines, the June...

Five Great Reads on eDiscovery for May 2020

From review market sizing revisions to pandemeconomic pricing, the May 2020...

Five Great Reads on eDiscovery for April 2020

From business confidence to the boom of Zoom, the April 2020...