Why our colleagues are proud to work for us
Our 30 second video gives an overview of our score for pride at work in the Sunday Times Best Place to Work survey.
On 12 October 2023, a change to international data protection legislation came into force. Termed the UK-US Data Bridge, when navigated correctly this can make it easier for UK businesses to comply with the law when sharing personal data with organisations based in the USA.
To provide some context, if your company is sending personal data to a receiver located outside the UK, for example by sending customers’ data to third party servers located in another country, you are responsible for ensuring that your company complies with the UK’s retained version of the General Data Protection Regulations (GDPR) on such transfers. Typically this can be achieved in one of two ways:
Previously, concerns over data privacy and security in the USA have led to complications in the transfer of personal data between the EU and USA. A recent high-profile example of this is the case involving Facebook's owner Meta, which was fined over $1.3 billion earlier this year for transferring personal data from the EU to the US without having the correct safeguards in place.
The EU-US Data Privacy Framework was adopted in July to help resolve some of these issues. This allows participating companies in the EU and USA to self-certify that their data protection practices are sufficient to transfer personal data to each other without the need to have additional legal clauses in place.
To be a part of the framework, organisations must comply with a set of enforceable requirements in the way they use, collect and disclose personal data.
The UK-US Data Bridge works in the same way, allowing compliant UK businesses to share personal data with organisations in the US that have been certified and placed onto the Data Privacy Framework List. This framework serves as a link between the EU-US Data Privacy Framework and UK data protection regulations, facilitating the unimpeded transfer of personal data while upholding adherence to UK data protection standards.
If your business is involved in transferring personal data from the UK to the USA, you will need to check the Data Privacy Framework List to confirm whether the US organisation that is receiving the data is on the list and therefore adheres to the data protection standards set by the UK-US Data Bridge and GDPR.
Not all US organisations will be eligible for the UK-US Data Bridge, while others may opt not to use it. If either is the case, you will have to continue following traditional methods to legitimise data transfers, such as the International Data Transfer Agreement or UK Binding Corporate Rules. You should also consider the types of personal data you are transferring, as certain special categories of personal data (in particular, biometric data and/or data concerning sexual orientation) and criminal offence data require additional protections when transferring to a certified US organisation.
When relying on the UK-US Data Bridge, UK organisations will also need to update their own data protection compliance documentation accordingly, in particular by:
A previous attempt at establishing a similar EU/US data transfer mechanism eventually fell apart after Court challenges in the EU. This new framework may well also be challenged in the EU courts in due course, although it is hoped that the lessons from previous regimes have been learned so that this new framework is more likely to withstand any such legal challenge.
If you need advice on personal data transfers outside the UK, or advice and assistance on anything else related to the handling of personal data, our Commercial, Digital and Telecoms Team can help. Contact Thomas Taylor on 0113 204 0407 or ku.oc1701605958.fcl@1701605958rolya1701605958tt1701605958
Contact our offices
Make an enquiry