Table of Contents
Your business must comply with international data transfer laws if it sends personal data outside the UK. The UK made an important adequacy decision in October 2023, which allows UK organisations to transfer personal data to US organisations that have signed up to a certification scheme known as the UK-US Data Bridge. This article will explore the UK-US Data Bridge and the key issues UK organisations should understand.
Rules on Transferring Personal Data Outside of the UK
UK organisations must comply with strict international data transfer law rules when transferring personal data to countries outside the UK. The UK General Data Protection Regulation (UK GDPR) sets out rules to ensure that personal data is adequately protected when transferred outside the UK.
Generally, transferring personal data outside the UK is prohibited unless your organisation can rely on a valid exemption. This is because some countries have inadequate privacy protection laws. Consequently, transferring personal data to those countries could put individuals’ data at risk.
Various exceptions allow organisations to transfer personal data to countries outside the UK. The most common exceptions include transferring personal data to a country outside the UK deemed to have an ‘adequate’ level of data protection. These are commonly known as ‘adequacy decisions’.
Currently, the following countries have been deemed ‘adequate’ by the UK:
- Canada (commercial organisations only);
- Faroe Islands;
- Isle of Man;
- Japan (private-sector organisations only);
- New Zealand;
- Uruguay; and
- the EU member state and European Economic Area members.
What is the UK-US Data Bridge?
The EU-US Data Privacy Framework
Previously, transferring personal data to the US was problematic under European and UK data protection law regimes. Various risks arose from transferring personal data to the US, including US law enforcement authorities having access to personal data. There have been attempts to create safe data transfer mechanisms to send personal data to the US safely. However, these mechanisms have been challenged and invalidated.
The European Commission, however, approved an adequacy decision for a new ‘EU-US Data Privacy Framework’ (DPF) on 10 July 2023. The DPF is an opt-in certification scheme for US organisations to facilitate flows of personal data from the EU to the US.
The DPF includes several principles and requirements that certifying US organisations must comply with. For example, the DPF includes:
- commitments to data protection; and
- rules concerning how US organisations should use, collect and disclose personal data.
The UK-US Data Bridge
As the UK is no longer a part of the European Union, the DPF is not a valid international data transfer mechanism for UK organisations.
To benefit from the arrangement, the UK government approved a new ‘UK-US Data Bridge’ arrangement, commencing 12 October 2023.
UK organisations transfer personal data to US organisations, certified by the ‘UK Extension to the EU-US Data Privacy Framework’. This means you can only send personal data to US organisations that are self-certified to both the DPF and the UK-US Data Bridge.
This is welcome news for UK organisations, as (if they meet the criteria) organisations may send personal data to the US without implementing additional safeguards such as the UK International Data Transfer Agreement or considering another lawful derogation allowing the transfer of personal data to the US. Putting in place such documents and carrying out complex and lengthy transfer risk assessments is often expensive and time-consuming for organisations. The UK-US Data Bridge will likely reduce time, costs and risk for businesses seeking to transfer personal data to the US.Continue reading this article below the form
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.
What Should Businesses Seeking to Rely on the UK-US Data Bridge Do?
If you seek to rely on the UK-US Data Bridge, carefully check that you meet all requirements before sending personal data to the US. You must ensure that the:
- US organisations are correctly certified to both the DPF and UK Extension to the DPF; and
- UK-US Data Bridge covers your transfers of personal data.
Remember, there is still a requirement to conduct appropriate due diligence on any third parties you wish to transfer personal data to. You will also need appropriate data processing or data sharing agreements with those third parties, including US organisations.
This Website Privacy Notice states how a business will deal with the personal information of its users.
The UK-US Data Bridge is welcome news for UK organisations, allowing a more straightforward mechanism for transferring personal data to the US. However, there are various actions that your organisation must take if you seek to rely upon the UK-US Data Bridge for your transatlantic data transfers. Businesses hope that the UK-US Data Bridge will make transfers of personal data to the US easier. However, this international data transfer mechanism has already faced challenges and scrutiny. As such, you should watch this space and monitor developments.
If you require advice on the UK-US Data Bridge and how it impacts your data flows, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.