US and UK announce commitment to establish a more secure “UK-US data bridge”

12th July 2023

UK and US Data Protection

There have been some developments on data transfers between the UK and US. Following discussions last year about the UK’s adequacy assessment of the new US Data Privacy Framework, the US and UK governments announced in a joint statement that they have committed in principle to establish a “UK-US data bridge”.

The agreement is subject to the UK government finalising its assessment of US data protection laws and practices but once complete, the data bridge will allow personal data to be transferred securely and more freely from UK organisations to certified organisations in the US, so there is no need to rely on additional mechanisms that can be quite lengthy and complex.

Whilst this is good news for organisations that regularly transfer personal data from the UK to the US, it should serve as a reminder to those organisations that do transfer personal data from the UK to other countries that they must have mechanisms/safeguards in place to ensure that data is protected.

International transfers of personal data

Any transfer of personal data from the UK to another country is a restricted transfer. You can make a restricted transfer if it’s covered by adequacy regulations, i.e., the data regime in that country has been assessed by the UK as providing ‘adequate’ protection for people’s rights and freedoms about their personal data. Currently, all countries in the EU are covered by adequacy regulations, as well as a few more and the UK government are working in partnership with several priority destinations which may be covered by adequacy regulations in the future. Adequacy regulations allow you to transfer personal data freely.

If the country you want to transfer the personal data to is not covered by adequacy regulations, you must carry out a transfer risk assessment and determine what appropriate safeguards to put in place to protect that data. The most used safeguards for UK organisations are:

  • UK Binding Corporate Rules. These are intended for use by multinational corporate groups, groups of undertakings, as well as franchises, joint ventures, or professional partnerships. Once drafted, these must be approved by the Information Commissioner’s Office which can be quite a lengthy process but once they’re approved, they can be relied on for international transfers of personal data.
  • Standard data protection clauses. An alternative to UK binding corporate rules, and one that can be used for both intra-group transfers and transfers from one organisation to an entirely separate organisation, is a contract incorporating standard data protection clauses. UK organisations have the choice of the International Data Transfer Agreement or the International Data Transfer Addendum. Organisations based solely in the UK may decide that the standalone agreement is a better fit for their organisational needs, whereas organisations with an EU presence would be better off with the addendum as it allows them to maintain a degree of consistency with their EU offices. Many organisations incorporate standard data protection clauses into their agreements as the content has already been approved by the UK Government so can be relied on instantly.

Want to know how this affects you or advice on safeguarding procedures to ensure that data is protected, were here to help, get in touch.

We’re here for you – contact us today

0300 124 0406
enquiries@schofieldsweeney.co.uk

Contact Us

Bradford office

Church Bank House
Bradford
West Yorkshire
BD1 4DY

What3words - names.frosted.broke
Phone: 01274 350 800 Fax: 01274 306 111

Leeds office

Centura
76 Wellington Street
Leeds
West Yorkshire
LS1 2AY

What3words - crass.makes.store
Phone: 0113 849 4000 Fax: 0113 243 9326

Huddersfield office

30 Market Street
Huddersfield
West Yorkshire
HD1 2HG

What3words - eaten.salads.case
Phone: 01484 915 000 Fax: 0800 368 8449

London office

33 Bedford Row
London
WC1R 4JH
Phone: 020 8146 5119
Copyright © Schofield Sweeney Solicitors. All Rights Reserved.

Schofield Sweeney LLP is authorised and regulated by the Solicitors Regulation Authority.

Website by Tall
Conveyancing Quality