Are you worried about keeping up with current regulations when transferring data in your business?
Do you often transfer data from the UK to the US?
If you don’t know the answer, do you use servers such as Apple iCloud and Google Drive? If so, the answer is likely yes.
Are you totally overwhelmed and tired of trying to understand the ever-changing regulations?
The law can be very overwhelming and challenging to keep up with. So much so, there’s been even further updates since my last blog last summer (which you can read here), outlining what you need to do when transferring data internationally.
I’ve pulled together a summary of the UK-US Data Bridge which came into force on 12 October 2023, and what it means for you when transferring data across the pond, along with an updated checklist on what exactly you need to do when transferring data internationally to ensure UK GDPR compliance.
What’s changed?
In a nutshell, the lawful transfer of personal data from an organisation within the UK to the US was previously monitored by multiple regulations, making it confusing to keep up with. The EU-US Privacy Shield, the UK General Data Protection Regulation and the EU General Data Protection Regulation originally regulated this area.
From July 2016 to 2020, the Privacy Shield permitted data transfers from the US to the UK and EU for commercial purposes. This was then abolished, and UK companies used Standard Contractual Clauses (SCC) and Binding Corporate Rules to transfer data to the US, requiring complex transfer risk assessments. In 2022, International Data Transfer Agreements replaced SCCs, but the requirement of transfer risk assessments remained.
The EU and the US then agreed on a Data Privacy Framework, allowing personal data to be safely transferred from the EU to the US, with organisations that agreed to follow the Data Privacy Framework. This had the added benefit of no further safeguards being required.
Fast forward to now, the UK has built on this Data Privacy Framework (hereafter DPF), and the UK-US Data Bridge was born on 12 October 2023, allowing UK businesses to transfer personal data to organisations in the US which are DPF-certified.
What do I need to know about the UK-US Data Bridge?
The UK-US Data Bridge is an agreement between the UK and the US which automatically allows the free flow of data between organisations in the UK to organisations in the US who have signed up and self-certified with the Data Privacy Framework terms.
If your US service suppliers are on the list of organisations who have signed up, then it means you don't need to worry about getting an appropriate data transfer agreement in place - relieving you of data protection admin! Let's all do a little cheer here (hooray!).
When US organisations have self-certified into the UK extension, it mean they have agreed to comply with the DPF principles, and have made a public commitment to comply via a published privacy policy, so you’re good to go and can transfer data with a clear conscience and in full compliance with UK data protection laws.
It’s very important that you check the published DPF List, because not all US companies choose to opt in – there will be more guidance on how you can check this further below in the checklist section of this blog.
What about special category data?
Under the DPF principles, special category data can be transferred under the UK-US data bridge and US organisations are required to treat such data as sensitive.
However, an important point to note is that certain categories of data, that under the UK GDPR would ordinarily be classed as special category data, are not considered sensitive under the DPF. These types of data are: biometric data, data concerning criminal offences, data concerning sexual orientation and genetic data. If you are transferring any of these types of data to the US, you need to explicitly tell the US organisation that the data you are transferring is special category/sensitive data.
For any other types of sensitive data (such as health data racial/ethnic origin data, religious or philosophical beliefs, or trade union membership), you have the option to label data as sensitive but this isn’t a requirement.
Are there any anomalies that I need to be aware of?
Yes! If you are sending any journalistic data to an US organisation, then you need to know that it cannot be transferred under the UK-US Data Bridge – you will need some other form of data transfer documentation in place for this – see my previous blog on the options for this.
It's also worth bearing in mind that the following are not protected under the DPF, but they are covered in the UK GDPR: the right to be forgotten, the rights under automated processing, and the unconditional right to withdraw consent to data processing. So, if a UK business receives any such requests from data subjects, then they will need to remember to contact their US service providers and request that the data they hold about the data subject is updated accordingly.
What does this change mean for my business?
There are huge benefits to the UK-US data bridge update, including:
When transferring to a US DPF compliant organisation, you no longer need to have
“appropriate safeguards” in place under Article 46 and 49 of UK GDPR
You are not required to complete a Transfer Risk Assessment
Your compliance burden will likely be lightened, and your transfer process should be both quicker and easier
This change also means that you will need to update your privacy policy to outline your updated transfer process, along with documenting any processing activities as necessary to reflect any changes in how you transfer personal data to the US.
If you’d like help with updating your privacy policy, get in touch, I offer a bespoke service where I can update your policies based on your business activities.
What does this mean for the standard, day-to-day practice of transferring data? The updated Checklist…
I have updated my previous international data transfer checklist to reflect these changes. All you need to do is answer the following questions to work out what you have to do:
1. Is there a personal data transfer?
Under UK laws, if there is a transfer of personal data to a country outside of the UK then you need to think carefully about what you are doing. You need to make sure the transfer of the data is done in a compliant way and in line with the UK laws.
This includes scenarios where the personal data can simply be accessed via screens in a different location – so for example, if you have data stored on UK servers but colleagues in your Australian office can view the data, then even though you are not actually ‘sending’ the data, the fact that it is ‘accessible’ in the subsidiary’s office means that a transfer has taken place.
If there is a transfer, then read on…
2. Is this to a country covered by ‘adequacy regulations/ requirements?’
As stated in my last blog, countries covered by the adequacy regulations have been deemed by the UK, as having legal frameworks that provide adequate protection in respect of individuals data protection rights.
Currently, the UK still has adequacy regulations about these countries:
EU member states: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania., Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden.
EFTA Countries: Iceland, Norway and Liechtenstein
EU/EEA institutions/bodies/office/agencies: Gibraltar, Republic of Korea.
Other countries/territories/sectors: Andorra, Argentina, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay.
Partial findings of adequacy in Japan (private sector organisations only) and Canada (only data subject to Canada’s Personal Information Protection and Electronic Documents Act).
3. If not, are there appropriate safeguards in place?
You should firstly check your T&Cs with the third-party who you are sharing the data with – does it already contain an appropriate document to deal with the data transfer?
You should also confirm if the organisation in question has signed up to any data-bridge certification schemes by doing the following:
Check to see if the organisation is registered as DPF compliant on the DPF List.
Once on the DPF website, you can do the following:
· Go to the DPF List and search alphabetically, or by typing in the organisation
name in the search bar.
· Confirm that said organisation has self-certified. If a U.S. organisation, confirm that
they are listed with the UK Extension to the EU-US Data Privacy Framework program.
You are often also presented with other frameworks the organisation follows, as seen below, this organisation also follows the Swiss-U.S. Data Privacy Framework as an example.
As you can see, the above example shows that the organisation in question is compliant with the UK-US Data Bridge, as there is a green icon next to the UK Extension to the EU-U.S. Data.
If you’re transferring HR Data (data relating to your employees), you must confirm that HR Data is covered by the organisation’s DPF commitments. You can do so by clicking on the organisation’s name within the DPF List, and click to view their Privacy Policy. You must then read the Privacy Policy and ensure HR Data is covered.
If you have established that the organisation is DPF compliant, you are able to transfer the personal data without further need for any other safeguards. I do recommend documenting your search however for your records.
If the above does not apply, then you should ask them if they have a transfer agreement for your review and signatures.
If they don’t have anything, then you should get an appropriate document drafted for their review and signature. Under UK GDPR, the most usual safeguard is to use the standard contractual clauses – which means using the new ICO International Data Transfer Agreement (IDTA) or putting in place an appropriate SCC (EU Standard Contractual Clauses). If you would like more information about the differences between an IDTA and a SCC, please see my earlier blog here.
You may be wondering how you can do this!? The ICO have guidance and templates available here for the IDTA and the European Commission have guidance and templates here for the SCCs.
If you need help completing these templates (or getting them checked/reviewed) then get in touch – I offer a service where these templates can be tailored to your data transfers.
4. Is your existing SCC/transfer document up to date?
It’s important to check that the SCC you already have in place is not the old version from the EU SCCs dated in 2010. This version should have been replaced with the new versions (published in 2021) before 27th December 2022, at which point the old SCCs were no longer valid and if the new SCCs have not been implemented then any data transfer will not be compliant with the UK data protection laws.
5. Is there another option? An exception perhaps?
If you’ve exhausted all of the above options, and the country you’re sending data to is not covered by the adequacy regulations, you may be questioning what you can do next. You may also be experiencing difficulty from the other side when it comes to signing a SCC/IDTA.
If this is the case, you may still be able to transfer data, but only if you can fall within one of the following eight exceptions set out in Article 49 of UK GDPR:
1. You have the explicit consent of the person the transferring data is about.
2. You have a contract with the person the transferring data is about, and the restricted
transfer is necessary so you can carry out your obligations in that contract. Or, the
restricted transfer is necessary so you can carry out pre-contract steps as requested by
that person.
3. The restricted transfer is necessary for you to enter into a contract or to carry out your
obligations under a contract. And that contract benefits the person the transferring
data is about. (In this case the contract is not with that person).
4. The restricted transfer is necessary for important reasons of public interest.
5. The restricted transfer is necessary to establish whether you or someone else has a
legal claim or defence, to make a legal claim or to defend a legal claim.
6. The restricted transfer is necessary to protect someone’s vital interests – this may or may
not be the person the transferring data is about. To use this exception the person the
transferring data is about must be physically or legally incapable of giving their consent
to the restricted transfer.
7. The restricted transfer is from a public register and meets the relevant legal
requirements relating to access to that public register.
8. The restricted transfer is a one-off transfer which is necessary to meet your compelling
legitimate interests.
It’s worth noting that the above exceptions should only be relied on as a last resort. They do not provide comfort to the data subjects about the safety of their data, and therefore will not be in line with the general spirit of data privacy and protection.
If you’re intending to rely on one of these exceptions, please get in touch. There are specific requirements for each of the above, and an analysis should be carried out before relying on an exception to ensure full compliance.
Conclusion
The UK-US Data Bridge provides an easier route to transfer personal data to the US, and will result in a less compliance heavy transfer for your business. If you have further questions on how you can implement the UK-US Data Bridge in your business to ensure compliance, please get in touch.
Comments