As a global company, we have had multiple clients and prospects in the United Kingdom inquire about how the current situation with Brexit will affect storage and privacy. Here is a brief update regarding possible post-Brexit shifts in privacy regulations.
With the United Kingdom (UK) currently still a participant of the European Union (EU), Private Health Information (PHI) of UK residents may be stored in the United States pursuant to the Privacy Shield legislation. Only companies registered to be in current compliance with Privacy Shield are certified to do so. This list of companies is available here.
Assuming the UK decides to leave the EU, UK providers will still be able to store PHI of their patients under one of the following two scenarios:
1) The UK and EU have already preliminarily agreed that from the date the UK leaves the EU through December 31, 2020, a transition period will take place under which EU law (including that for data protection covered by Privacy Shield) will apply. This would mean that the current certification and application of Privacy Shield will apply through this date. We expect that sometime prior to December 31, 2020, a new regulation requiring compliance to continue to house UK resident data in the U.S. will be announced.
2) Assuming the UK and EU do not finalize their agreement on a transition period, UK providers may still rely on Privacy Shield protection, assuming the company housing their UK residents' data adds a separate certification pertaining to the UK in its Privacy Shield statement.
Either way, UK providers can take comfort that the data of their residents will remain protected and may continue to be stored in the U.S.