With the UK’s Brexit referendum dominating the news out of Europe over the past week, it may have been easy to miss a key development in the continuing Privacy Shield negotiations. On Friday, June 24, news outlets reported that U.S. regulators and the European Commission had agreed on a finalized version from the Privacy Shield, a proposed “replacement” of the Safe Harbor framework that was invalidated last October. The revised draft is said to address concerns voiced by the European Parliament, Article 29 Working Party, and European Data Protection Supervisor in recent months.
The latest draft of the Privacy Shield, which the European Commission sent to EU Member States for review, has not yet been made public, but reports have sketched out the following updates:
- Bulk data collection: The U.S. has provided further details on its bulk data collection practices, specifying the preconditions for “targeted and focused” personal data collection and safeguards for how the data may be used.
- U.S. Ombudsperson: The Privacy Shield calls for the appointment of a U.S. Ombudsperson to address complaints regarding the U.S. government’s use of EU citizens’ personal data. The revised draft specifies that this Ombudsperson will be independent from U.S. national security services.
- Data retention: The revised draft includes more explicit data retention restraints, requiring that personal data be deleted when it no longer serves the purpose for which it was collected.
The revised draft is now in the hands of the Article 31 Working Party (WP31) – a group composed of EU Member State representatives with veto power – which is expected to hold a vote in early July. The WP31 was unable to reach an agreement on the adequacy of the Privacy Shield during its meeting on May 19. If the WP31 approves the European Commission’s revised Privacy Shield, it would then need to be formally adopted by the European Commission’s College of Commissioners. With alternative data transfer mechanisms under continued scrutiny, the fate of the Privacy Shield is of great interest to U.S. companies seeking to lawfully transfer personal data from the EU.
UK-U.S. Data Transfers Post-Brexit
Companies also are wondering what effect Brexit may have on the Privacy Shield, and on UK data protection law generally. The UK Information Commissioner’s Office (ICO) issued a statement on Friday following the Brexit vote, confirming that the UK’s Data Protection Act of 1998 “remains the law of the land irrespective of the referendum result.” The ICO recognized that if the UK does leave the EU, “upcoming EU reforms to data protection law would not directly apply to the UK,” suggesting that (at least at some point in the future) the Privacy Shield agreement may not cover transfers of personal data from the UK. That said, the ICO could explicitly approve Privacy Shield certification as an adequate means of data transfer from the UK to the U.S., or it could establish a similar mechanism for such transfers, not unlike the U.S.-Swiss Safe Harbor framework that served as an analog to the U.S.-EU Safe Harbor framework. It will take at least two years for the UK to effect its withdrawal from the EU, with many estimating that the complicated negotiations will take much longer. In the interim, the existing EU-U.S. data transfer landscape will continue to include the UK.
In terms of Brexit’s implications for data transfers between the UK and the EU, the ICO’s statement made clear that the UK would need to “prove ‘adequacy’” if it wants to continue to do business on the continent. Accordingly, “UK data protection standards would have to be equivalent to the EU’s General Data Protection Regulation framework starting in 2018.” The application of the GDPR to the UK is all but inevitable given the timelines for GDPR implementation (May 2018) and UK withdrawal (likely October 2018 at the earliest), though once the UK is no longer a member of the EU, it could theoretically disregard the GDPR or implement its own version of the regulation. For its part, the ICO has suggested that the UK would need to adapt to European privacy regulations, stating that its role “has always involved working closely with regulators in other countries, and that would continue to be the case.”