Table of Contents
In Short
- The UK GDPR allows data transfers to the US only if specific safeguards are in place.
- The UK-US Data Bridge simplifies transfers to certified US companies but isn’t always available.
- If your US supplier is not certified, other options like SCCs or anonymisation may apply, but require careful handling.
Tips for Businesses
Check whether your US partners are certified under the UK-US Data Bridge. If not, consider alternatives like SCCs with a Transfer Risk Assessment or anonymisation. Don’t rely on exceptions unless absolutely necessary. Given the complexity and legal risk, speak to a data protection lawyer before transferring any personal data to the US.
Transferring personal data to the US may be necessary if your business works with US-based companies, such as key suppliers. However, UK data protection law imposes strict requirements to ensure that personal data remains protected, even when sent outside the UK. The UK GDPR permits international data transfers only where specific legal rules are followed. This article explores what your business needs to know about data transfers to the US, which agreements and safeguards you could rely on and their importance for compliance with UK GDPR.
Why are International Data Transfers Considered High Risk?
Transferring personal data across borders can challenge compliance because data protection laws differ between jurisdictions. The UK GDPR requires that personal data leaving the UK receive an adequate level of protection to ensure that individuals’ rights and personal information remain safeguarded.
Some jurisdictions (including the US) have different legal frameworks for data privacy. These variations can create uncertainty about how personal data will be handled when transferred internationally. Therefore, businesses transferring data abroad must carefully assess and comply with applicable data transfer rules in line with UK GDPR requirements.
How Can the UK-US Data Bridge Help Address Compliance?
The UK government introduced the UK-US Data Bridge as a partial adequacy decision to facilitate personal data transfers to the US. Businesses can transfer personal data to US organisations if those organisations have obtained certification under the Data Privacy Framework (DPF) and the UK Extension to this framework. Certified US companies must, however, comply with strict data protection principles, e.g., those relating to transparency, accountability, and data minimisation.
This factsheet sets out how your business can become GDPR compliant.
For your business, the UK-US Data Bridge can help simplify compliance by removing the need for additional safeguards when transferring personal data to a certified US organisation. However, various criteria apply to rely on the UK-US Data Bridge mechanism. Unfortunately, it may not always be appropriate for data transfers, so it is essential to take legal advice if you are unsure.
Continue reading this article below the formWhat if Your US Supplier is Not Certified Under the UK-US Data Bridge?
Not all organisations will be certified under the UK-US Data Bridge mechanism, and it is not mandatory to rely on it.
Suppose your US supplier has not obtained certification under the UK-US Data Bridge (or you cannot rely on this mechanism). In that case, your business can look to use an alternative legal mechanism to transfer personal data lawfully to the US.
Alternative Mechanisms
Other options to consider include the following:
- your business may seek to rely on European Union Standard Contractual Clauses (EU SCCs) with the UK Addendum or the UK’s standalone International Data Transfer Agreement. These mechanisms (commonly called ‘SCCs‘) serve as legally approved contractual contracts that protect personal data transferred to a country without an adequacy decision. Before relying on SCCs, your business must conduct a Transfer Risk Assessment (TRA) to determine whether the recipient can provide adequate protection for personal data. The TRA helps companies to identify risks associated with differing legal frameworks and ensures appropriate safeguards are in place;
- if the SCCs are unsuitable, your business may rely on a specific exception under the UK GDPR. These exceptions allow transfers in limited circumstances, e.g. when the individual has explicitly consented. Companies should use exceptions only as a last resort, as they are subject to strict conditions; and
- another option may be anonymisation. If your business anonymises personal data before transferring it to the US, UK GDPR does not restrict the transfer because anonymised data no longer qualifies as personal data. However, your business must ensure that the anonymisation process is entirely irreversible and workable. If there is any risk that the data could be re-identified, UK GDPR transfer rules will still apply.
How Can a Lawyer Help Ensure Data Transfers to the US Are Compliant?
Navigating the legal complexities of international data transfers to the USA (and deciding which agreements to use) requires careful consideration of legal risks and compliance requirements. A data protection lawyer can help your business assess the risks of transferring personal data to the US and determine the most appropriate legal mechanism for your circumstances.
Key Takeaways
Many businesses commonly transfer data to the US as part of everyday business. However, your business must ensure data transfers to the US comply with UK GDPR. You may be able to rely on various mechanisms, depending on the nature of your transfers and the recipient parties in the US. Seeking legal advice from a data protection solicitor can help you ensure compliance and mitigate risks when transferring personal data to the US.
If you need advice on transferring personal data to the US, our experienced data,privacy and IT lawyers can help as part of our LegalVision membership. For a low monthly fee, you’ll have unlimited access to lawyers who can answer your questions, review your data protection policies, and guide you through complex compliance issues. Call us today on 0808 196 8584 or visit our membership page.
Frequently Asked Questions
The UK-US Data Bridge provides a framework allowing UK businesses to transfer personal data to US-based organisations that have obtained certification under the Data Privacy Framework and the UK extension to it without additional safeguards.
For example, your business may still be able to transfer data by using an appropriate safeguard permitted under law, such as the UK’s International Data Transfer Agreement.
We appreciate your feedback – your submission has been successfully received.
