UK and US Data Protection
There have been some developments on data transfers between the UK and US. Following discussions last year about the UK’s adequacy assessment of the new US Data Privacy Framework, the US and UK governments announced in a joint statement that they have committed in principle to establish a “UK-US data bridge”.
The agreement is subject to the UK government finalising its assessment of US data protection laws and practices but once complete, the data bridge will allow personal data to be transferred securely and more freely from UK organisations to certified organisations in the US, so there is no need to rely on additional mechanisms that can be quite lengthy and complex.
Whilst this is good news for organisations that regularly transfer personal data from the UK to the US, it should serve as a reminder to those organisations that do transfer personal data from the UK to other countries that they must have mechanisms/safeguards in place to ensure that data is protected.
International transfers of personal data
Any transfer of personal data from the UK to another country is a restricted transfer. You can make a restricted transfer if it’s covered by adequacy regulations, i.e., the data regime in that country has been assessed by the UK as providing ‘adequate’ protection for people’s rights and freedoms about their personal data. Currently, all countries in the EU are covered by adequacy regulations, as well as a few more and the UK government are working in partnership with several priority destinations which may be covered by adequacy regulations in the future. Adequacy regulations allow you to transfer personal data freely.
If the country you want to transfer the personal data to is not covered by adequacy regulations, you must carry out a transfer risk assessment and determine what appropriate safeguards to put in place to protect that data. The most used safeguards for UK organisations are:
- UK Binding Corporate Rules. These are intended for use by multinational corporate groups, groups of undertakings, as well as franchises, joint ventures, or professional partnerships. Once drafted, these must be approved by the Information Commissioner’s Office which can be quite a lengthy process but once they’re approved, they can be relied on for international transfers of personal data.
- Standard data protection clauses. An alternative to UK binding corporate rules, and one that can be used for both intra-group transfers and transfers from one organisation to an entirely separate organisation, is a contract incorporating standard data protection clauses. UK organisations have the choice of the International Data Transfer Agreement or the International Data Transfer Addendum. Organisations based solely in the UK may decide that the standalone agreement is a better fit for their organisational needs, whereas organisations with an EU presence would be better off with the addendum as it allows them to maintain a degree of consistency with their EU offices. Many organisations incorporate standard data protection clauses into their agreements as the content has already been approved by the UK Government so can be relied on instantly.