news
New managing partner named at LCF Law
Data transfers: bridging the gap between the UK and USA
The UK-US Data Bridge
On 12 October 2023, a change to international data protection legislation came into force. Termed the UK-US Data Bridge, when navigated correctly this can make it easier for UK businesses to comply with the law when sharing personal data with organisations based in the USA.
To provide some context, if your company is sending personal data to a receiver located outside the UK, for example by sending customers’ data to third party servers located in another country, you are responsible for ensuring that your company complies with the UK’s retained version of the General Data Protection Regulations (GDPR) on such transfers. Typically this can be achieved in one of two ways:
- Adequacy Regulations: You can transfer personal data to countries outside of the UK if that country has been assessed as having “adequate” protection in law for people’s personal data. For example, transfers of personal data to receivers in the EU are covered by an “adequacy regulation” as both the UK and EU data protection laws are still (largely) aligned. This means that organisations operating in these locations can transfer personal data to each other without the need for additional legal safeguards.
- Appropriate Safeguards: Transfers of personal data to countries that are deemed not to have adequate protection in law for personal data are more problematic – and data transfers to the USA fall in to this category. Transfers to such countries will need to be covered by other “appropriate safeguards”, such as:
- International Data Transfer Agreements: These contain standard data protection clauses for restricted transfers which have been approved by the UK Parliament.
- UK Binding Corporate Rules: These are a set of data protection regulations and practices that multinational companies establish within their group to facilitate international transfers of personal data.
- Approved code of conduct: You can make a restricted transfer if the receiver has signed up to a code of conduct which has been approved by the UK Information Commissioner's Office (ICO). While there are no approved codes of conduct at the time of writing, the ICO is actively working with various sector bodies and associations to put these in place.
Previously, concerns over data privacy and security in the USA have led to complications in the transfer of personal data between the EU and USA. A recent high-profile example of this is the case involving Facebook's owner Meta, which was fined over $1.3 billion earlier this year for transferring personal data from the EU to the US without having the correct safeguards in place.
The EU-US Data Privacy Framework was adopted in July to help resolve some of these issues. This allows participating companies in the EU and USA to self-certify that their data protection practices are sufficient to transfer personal data to each other without the need to have additional legal clauses in place.
To be a part of the framework, organisations must comply with a set of enforceable requirements in the way they use, collect and disclose personal data.
The UK-US Data Bridge works in the same way, allowing compliant UK businesses to share personal data with organisations in the US that have been certified and placed onto the Data Privacy Framework List. This framework serves as a link between the EU-US Data Privacy Framework and UK data protection regulations, facilitating the unimpeded transfer of personal data while upholding adherence to UK data protection standards.
How can your business ensure that its data protection practices align with the new rules?
If your business is involved in transferring personal data from the UK to the USA, you will need to check the Data Privacy Framework List to confirm whether the US organisation that is receiving the data is on the list and therefore adheres to the data protection standards set by the UK-US Data Bridge and GDPR.
Not all US organisations will be eligible for the UK-US Data Bridge, while others may opt not to use it. If either is the case, you will have to continue following traditional methods to legitimise data transfers, such as the International Data Transfer Agreement or UK Binding Corporate Rules. You should also consider the types of personal data you are transferring, as certain special categories of personal data (in particular, biometric data and/or data concerning sexual orientation) and criminal offence data require additional protections when transferring to a certified US organisation.
When relying on the UK-US Data Bridge, UK organisations will also need to update their own data protection compliance documentation accordingly, in particular by:
- listing the UK-US Data Bridge as a relevant transfer mechanism in their privacy policy to comply with transparency requirements; and
- listing the UK-US Data Bridge as the relevant transfer mechanism in any new data transfer agreement entered into with the relevant US organisation.
A previous attempt at establishing a similar EU/US data transfer mechanism eventually fell apart after Court challenges in the EU. This new framework may well also be challenged in the EU courts in due course, although it is hoped that the lessons from previous regimes have been learned so that this new framework is more likely to withstand any such legal challenge.
What can we do to help?
If you need advice on personal data transfers outside the UK, or advice and assistance on anything else related to the handling of personal data, our Commercial, Digital and Telecoms Team can help. Contact Thomas Taylor on 0113 204 0407 or ku.oc1714289177.fcl@1714289177rolya1714289177tt1714289177