Skip to main content

REMINDER: Brexit Effects on Privacy Shield

Now that the United Kingdom has officially withdrawn from the European Union as of January 31, you should look at your transfers of personal data in light of Brexit.   Under the Withdrawal Agreement between the UK and the EU, EU law (including GDPR) will continue to apply to and in the UK during the transition period from January 31, 2020 to December 21, 2020.    During the transition period, the European Commission’s adequacy decision of the protection provided by the EU-U.S. Privacy Shield Framework will continue to apply to transfers of personal data from the UK to those certified to the Privacy Shield Framework.  According to the International Trade Administration, the U.S. will consider a Privacy Shield participant’s commitments to comply with the Framework to include personal data received from the UK in reliance on Privacy Shield with no further action required.

The International Trade Administration sent out reminders to all Privacy Shield participants in mid-2019 regarding updates to Privacy Shield statements when it appeared that Brexit would be imminent.  If you have not updated your Privacy Shield statement to account for Brexit, mark your calendars to ensure that your language is updated by December 31, 2020.   You should update your statement (and your HR privacy policy if you certified to transfer of HR data) to specifically include that the Privacy Shield commitment extends to personal data received from the UK in reliance on Privacy Shield.   According to the International Trade Administration, “an organization that does not modify its commitment as directed will not be able to rely on the Privacy Shield Framework to receive personal data from the United Kingdom after December 31, 2020.”

Contact any member of the Mintz Privacy Team if you have questions relating to cross-border transfers of personal data in light of Brexit.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.