Sending data to the US – the new UK-US data bridge

If no finding of adequacy has been made in respect of the recipient country, further safeguards will likely need to be put in place. For transfers of UK personal data, the following safeguards may be used:

• Existing contracts that rely on the old EU standard contractual clauses to transfer UK personal data remain valid until 21 March 2024 after which they will need to be amended to rely upon the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the new EU SCCs.
• All new contracts pursuant to which UK personal data is transferred internationally will need to include the IDTA or the UK Addendum to the new EU SCCs.

Some key points to bear in mind if your organisation transfers personal data to the US:

1. If you intend to rely upon the UK Extension (see musings at bullet point 3) make sure the US company to which you are transferring data is listed as participating in the EU-US Data Privacy Framework (“DPF”). Bear in mind that banking, insurance and telecoms companies cannot participate in the DPF. A full list of participating companies can be found here: https://www.dataprivacyframework.gov/s/participant-search.
2. The Information Commissioner’s Office has reviewed the Government’s determination that the UK-US data bridge provides adequate protection and has concluded that four areas could pose risks to UK data subjects:
   1. There is no equivalent to the “right to be forgotten” set out in UK GDPR.
   2. There is no unconditional right for a data subject to withdraw their consent to the processing of their data.
   3. The definition of “sensitive information” under the UK-US data bridge includes a “catch all” sweeper rather than specifying all the special categories of data that are referenced in Article 9 of UK GDPR. This means that there is an onus on UK organisations to flag biometric, genetic, sexual orientation and criminal offence data as “sensitive data” in order for it to be treated as such by the US organisation in receipt of the data. This is a new obligation for UK organisations.
   4. There is potentially reduced protection for criminal offence data (which, bearing in mind bullet point c above, needs to be flagged as “sensitive” in the first place) because some of the protections offered by the UK’s Rehabilitation of Offenders Act 1974 (the “Rehabilitation Act”) are not reflected in the UK Extension (including limitations on the use of personal data where convictions have become “spent”).
   5. There are reduced protections in relation to automated decision making including, for example, lack of provision of a right for an individual to seek a non-automated review of an automated decision where such decision produces legal effects or is otherwise similarly significant.
3. There seems to be little doubt that the UK Extension will come into force on 12 October irrespective of the concerns flagged by the ICO. However, it may be wise for organisations to continue to include the IDTA or UK Addendum to the new EU SCCs for US data transfers while rumblings continue about the suitability of the UK Extension, particularly if there are already templates in use.