The UK Government has published a new data-related Brexit statutory instrument clarifying the position with respect to transfers of personal data to the US in reliance on the EU-US Privacy Shield (the “Privacy Shield“) and in a no-deal Brexit scenario.
Transfers to the US under the Privacy Shield are currently made pursuant to a special category of adequacy decision based on a specific arrangement put in place between the US and EU authorities. However, advice and guidance on how such arrangements could continue to work in a no-deal Brexit scenario had differed.
ICO guidance and a set of FAQs posted on the Privacy Shield website had suggested that organisations would continue to be able to rely on the Privacy Shield but only provided certain administrative steps had been taken. However, the draft Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 published earlier this year simply stated that the Privacy Shield was adequate for UK GDPR purposes. This appeared to conflict with the information provided on the Privacy Shield website and from the UK regulator.