Brexit and Your Privacy Policy

Last updated on 14 January 2020 by Elizabeth C.
Brexit and Your Privacy Policy

Over the past couple of years, you've likely heard of the term 'Brexit' being mentioned often in the news. But if you're not living in the European Union (EU) or the United Kingdom, you might be wondering what all the fuss is about, and more, what it has to do with you.

This article will aim to explain what Brexit is, and who it's going to affect, as well as the timelines for the changes. Further, we'll also describe how Brexit will affect you and your Privacy Policy for your business - because it very likely will - no matter where you're located.


What is Brexit?

Brexit, a term coined back in 2016 that is a portmanteau of the words 'British' and 'exit', refers to the public vote that was conducted back in June 2016, where the British community voted to decide whether the UK should remain as a part of the EU, or leave.

The European Union includes 28 European countries and acts as an economic and political union that enables free trade and free movement of its people, who can decide to live and work in any EU country that they choose.

The choice to leave the EU won by a relatively slight margin - 52 percent to 48 percent - and over 30 million people voted to make the change.

While the change was meant to occur on the 29th of March 2019, two years after Theresa May (the Prime Minister at the time) activated the formal process to leave, it was delayed twice after British MPs rejected the deal.

The deadline was then changed to the 31st of October 2019, but that deadline wasn't met either. This is due to now-Prime Minister, Boris Johnson, who missed it while trying to negotiate trade deals and other essential aspects.

Even with the missed deadline, the EU allowed another extension of the deadline, which is now the 31st of January, 2020.

This whole process has left the British government in a state of crisis, as members have been unable to decide and agree on the specifics of the move.

Even though the idea of Brexit seems fairly new, it's actually a hot topic that has been debated since all the way back in 1975, just three years after Britain joined the EU (or the European Economic Community, as it was known back then).

Who is Brexit Going to Affect?

There are plenty of potentially negative consequences that may happen if/when the UK departs from the EU.

Without a trade deal in place, the UK may experience inflation in costs due to the rising price of imports and exports. The country of Ireland may be divided by way of a customs border, because Northern Ireland will be part of the UK while the rest of Ireland will stay as a member of the EU. This could cause mass issues and reignition of issues that became known as the Northern Ireland Conflict (also referred to as The Troubles).

Immigration restrictions may hurt Britain's labor movements, and Scotland may decide to join the EU independent of the UK, meaning it would depart from the sovereign country. Low rates of economic growth could negatively impact real estate prices, while the costs of telecommunication and travel may increase.

The result of Brexit, whether it is deal or no-deal, will impact the entire world.

What is the Brexit Timeline?

With the large amount of changes and extensions that have occurred around the deadlines, the timeline might seem blurry. But at its very basics, it is a simple one. On the 31st of January, 2020, the UK will formally leave the EU (as long as the European Parliament allows it) by way of a withdrawal deal.

If this withdrawal deal is approved, the UK will enter a transition period until the 31st of December, 2020. The transaction period will be the time when trade deal negotiations take place. These negotiations will dictate whether the UK leaves with a trade deal in place or not.

If a no-deal Brexit (also called a 'hard' Brexit) occurs, it means the UK would leave immediately which could have devastating impacts on the British economy.

Whereas a Brexit that occurs without a deal in place (also called a 'soft' Brexit) would likely mean that the UK would be allowed to remain as traders in the European market.

An unfavorable outcome of this could be highly detrimental to the economy on a global scale. This is because, under the EU, the UK is able to trade with countries such as Canada (and over 70 more different countries) without paying tariffs (taxes) on the goods.

During the Brexit process, the UK government has been working to negotiate the rollover of these free trade deals, in order to allow them to continue being able to trade freely across the globe.

And, if/when Brexit goes ahead, the UK will be able to establish trade deals with countries that haven't previously been included in the free trade deals, such as the United States.

But if Brexit occurs with no deals in place, it will lose access to such trade deals immediately, and would then be required to trade under World Trade Organization (WTO) boundaries.

How Does This Impact Your Privacy Policy?

How Does This Impact Your Privacy Policy?

Regardless of whether you think Brexit is a good idea or a bad one, or whether you have no opinion at all, it's likely that Brexit will affect you in one way or another, even if you're not located in the EU or the UK.

This is due to the fact that the laws of the EU extends to many different areas of the global economy, with one major area that will be affected by Brexit and, subsequently, affect those that need to abide by it.

That area is data protection, and for you, this means: Privacy Policies.

As of today, Britain is still bound to all the laws of the EU, including one you might be very familiar with: the General Data Protection Regulation (herein referred to as the GDPR).

Though the UK also has its own similar version of the GDPR, known as the Data Protection Act 2018, companies within still have to abide by the GDPR (and still will after Brexit).

The GDPR is a strict set of principles that sets parameters for online privacy and the protection of user data. It protects all citizens of the EU, so this makes it essential for any company that provides goods and/or services to EU citizens due to the exchange of personal information that occurs in such transactions.

The GDPR dictates how your Privacy Policy should be written, as well as what it should contain. And if you abide by GDPR legislations, with Brexit looming on the horizon, there will be some minor changes required to your Privacy Policy - specifically around data transfers.

Under the rules of the GDPR, restrictions were put into place regarding the transfer of users' personal data to countries outside of the EU.

These restrictions to international data transfers apply regardless of how big or small the data is - even if it's just simply an email address and username. The restrictions won't apply if you're sending information to a person employed by you who lives in another country, but sending data internationally outside of your company is not allowed.

Data transfers may happen, for example, in the event that a company uses a third-party server to host their information that resides in another country.

However, if your company is required at any point to make an international transfer that is deemed restricted, there are things you can do. First it's important to consider whether you absolutely need to make a restricted transfer, or whether you can get your targets met (whatever they may be) without doing so.

If it's found to be completely necessary, then it's possible to do, as long as the following requirements are met:

  • If the transfer is to occur in a country that has adequate data protection standards. These countries have been given an 'adequacy decision' from the European Commission, and include countries such as Japan, Israel, New Zealand, and Canada.
  • If the company of the receiver is a member of either Switzerland or the United States, and are included within the EU-US/EU-Swiss Privacy Shield certification framework. This framework allows for the transatlantic exchange of personal data - so long as it's for commercial purposes.
  • If the transfer is occurring alongside a contract that contains the standard data protection clauses that have been written by the European Commission.
  • If the transfer is occurring within an international company, and is therefore bound by corporate rules that specify who will be affected by the data transfer, how the transfer will occur and what kind of data is being sent.
  • And, if the transfer has been consented to by the data subject/s themselves.

If and when Brexit occurs, it could mean that, upon becoming a non-EU country, the UK may not fall under the GDPR guidelines. As such, any transfers that need to take place internationally might have to happen via the above rules.

So, what does this mean for your Privacy Policy?

The changes that will occur for your Privacy Policy will likely only happen if your company is a member of the EU-US Privacy Shield framework. For participants of such, you will be required to make changes to your Privacy Policy before Brexit happens.

If you're already a part of the Privacy Shield framework, you'll have a section within your Privacy Policy that reflects your participation (or at least, you should!), and it's this section that will require editing.

While your Privacy Policy may currently include something that looks like this section of Accertify's Privacy Policy below, you'll need to amend it slightly before Brexit comes into play.

Accertify Privacy Statement: EU-US and Swiss-US Privacy Shield Frameworks clause

Luckily the US Department of Commerce (DOC) has released an example of what it refers to as "model language" that you can easily apply to your Privacy Policy, with the proper additions:

"(INSERT your organization name) complies with the (INSERT EU-U.S. Privacy Shield Framework [and the Swiss-U.S. Privacy Shield Framework(s)]) (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the (INSERT European Union and the United Kingdom and/or Switzerland, as applicable) to the United States in reliance on Privacy Shield. (INSERT your organization name) has certified to the Department of Commerce that it adheres to the Privacy Shield Principles with respect to such information. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/."

When compared to the previous wording for the framework, you'll see the phrase "and the United Kingdom" has been added. This is to ensure that, rather than just specifying "the European Union" as it was previously, you're also now identifying your compliance with both the separate entities that will be the EU and the UK after Brexit.

As you can see below, Facebook has already made the proposed wording changes to its Privacy Shield clause:

Facebook: EU-US and Swiss-US Privacy Shield clause

This change to your Privacy Policy should be done with relative speed. The DOC advises doing so before the 31st of December 2020, which is the end of the transition period (taken from the Withdrawal Agreement).

Further, the DOC advises that anyone operating under the Privacy Shield framework should also update any relevant HR policies to include similar additions like that which it released for Privacy Policies.

After these slight changes have been made to your Privacy Policy, you can sit back and relax. The only thing left to do is to conduct yearly recertifying of the Privacy Shield certification (which you should already be doing), and to watch how the Brexit saga unfolds!

Article categories
Elizabeth C.

Legal writer.