Sending data to the US – the new UK-US data bridge

By Clarion
schedule29th Sep 23

The UK’s extension to the EU-US Data Privacy Framework is due to come into force on 12 October 2023 (the “UK Extension”). This means that from that date, UK businesses will be able to safely and securely transfer personal data to certified organisations within the US by relying upon the new UK-US data bridge (equivalent to an “adequacy” decision).

As a reminder, if your organisation transfers personal data internationally it must ensure that there are appropriate safeguards in place in respect of the transfer. It may be that the recipient country benefits from a finding of adequacy. At the date of this blog, a full finding of adequacy has been made in respect of Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay and partial findings of adequacy have been made in respect of Japan (private sector organisations only) and Canada (only covers data subject to Canada’s Personal Information Protection and Electronic Documents Act). From 12 October 2023, a partial finding of adequacy in relation to US organisations will be added to this list.

Safeguards for UK Personal Data Transfers

If no finding of adequacy has been made in respect of the recipient country, further safeguards will likely need to be put in place. For transfers of UK personal data, the following safeguards may be used:

  • Existing contracts that rely on the old EU standard contractual clauses to transfer UK personal data remain valid until 21 March 2024 after which they will need to be amended to rely upon the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the new EU SCCs.
  • All new contracts pursuant to which UK personal data is transferred internationally will need to include the IDTA or the UK Addendum to the new EU SCCs.

Key considerations for US Data Transfers

Some key points to bear in mind if your organisation transfers personal data to the US:

  1. If you intend to rely upon the UK Extension (see musings at bullet point 3) make sure the US company to which you are transferring data is listed as participating in the EU-US Data Privacy Framework (“DPF”). Bear in mind that banking, insurance and telecoms companies cannot participate in the DPF. A full list of participating companies can be found here: https://www.dataprivacyframework.gov/s/participant-search.
  2. The Information Commissioner’s Office has reviewed the Government’s determination that the UK-US data bridge provides adequate protection and has concluded that four areas could pose risks to UK data subjects:
    1. There is no equivalent to the “right to be forgotten” set out in UK GDPR.
    2. There is no unconditional right for a data subject to withdraw their consent to the processing of their data.
    3. The definition of “sensitive information” under the UK-US data bridge includes a “catch all” sweeper rather than specifying all the special categories of data that are referenced in Article 9 of UK GDPR. This means that there is an onus on UK organisations to flag biometric, genetic, sexual orientation and criminal offence data as “sensitive data” in order for it to be treated as such by the US organisation in receipt of the data. This is a new obligation for UK organisations.
    4. There is potentially reduced protection for criminal offence data (which, bearing in mind bullet point c above, needs to be flagged as “sensitive” in the first place) because some of the protections offered by the UK’s Rehabilitation of Offenders Act 1974 (the “Rehabilitation Act”) are not reflected in the UK Extension (including limitations on the use of personal data where convictions have become “spent”).
    5. There are reduced protections in relation to automated decision making including, for example, lack of provision of a right for an individual to seek a non-automated review of an automated decision where such decision produces legal effects or is otherwise similarly significant.
  3. There seems to be little doubt that the UK Extension will come into force on 12 October irrespective of the concerns flagged by the ICO. However, it may be wise for organisations to continue to include the IDTA or UK Addendum to the new EU SCCs for US data transfers while rumblings continue about the suitability of the UK Extension, particularly if there are already templates in use.

If you have any queries about data transfers to the US or your wider obligations pursuant to UK GDPR and other data protection and privacy legislation, please contact Flo Maxwell or Jack Farrer.

Disclaimer: Anything posted in this blog is for general information only and is not intended to provide legal advice on any general or specific matter.

Chat with us!

Live Chat

Welcome to our microsite, please tell us your name, company and email to chat with a member of the team.