The government has approved the UK-US data bridge and the Data Protection (Adequacy) (United States of America) Regulations will come into force on 12 October.
This is good news as it authorises the US to provide an adequate level of protection for data transfer purposes. However, this does not allow UK organisations to simply transfer personal data to any data recipient in the US. For the data to flow freely without additional mechanisms, the recipient in the US must be listed on the EU-US Data Privacy Framework as participating in the UK Extension.
What is the Data Protection Framework?
The Data Privacy Framework includes a set of enforceable principles and requirements that must be certified to and complied with by any organisation wanting to join it. Only US organisations subject to the jurisdiction of the US Federal Trade Commission or the US Department of Transport are currently eligible to participate in the Data Privacy Framework, though this may be extended in the future.
What do UK organisations need to do?
It’s important for UK organisations to check if the relevant recipient is listed on the Data Privacy Framework as participating in the UK Extension before they transfer data with no additional mechanisms. The list can be found here – Participant Search (dataprivacyframework.gov).
Any UK organisation wanting to take advantage of this must also ensure that their privacy policies and procedures are updated to reflect the transfer to the US, and have appropriate data protection and transfer provisions with the relevant recipients.
If you require any further information or would like us to review and revise your current policies, procedures or agreements, please contact sophiebrazier@schofieldsweeney.co.uk.