The transfer of personal data outside the UK requires certain considerations such as safeguards or derogations to be put in place. This year we have seen the introduction of a myriad of new EU or UK transfer mechanisms such as the EU model "standard contractual clauses" supplemented by the UK Addendum or alternatively the UK International Data Transfer Agreement as well as Transfer Impact Assessments.
The EU recently announced for transfers from the EU to the US the Data Privacy Framework (DPF) to help facilitate transfers to the US. As of 12 October 2023, businesses in the UK may be able to transfer personal data to certain organisations in the US under the UK Extension to the EU-US Data Privacy Framework, without the need for additional safeguards (such as the "standard contractual clauses") where the UK-US bridge applies.
What is the EU-US Data Privacy Framework?
Please see our previous article here. It is essentially an adequacy decision adopted by the EU Commission covering data transfers from the EU to the US.
What is the UK-US data bridge?
The UK-US data bridge is an extension to the EU-US Data Privacy Framework that applies to the UK, meaning businesses in the UK can transfer personal data to certain organisations in the US provided they comply with principles of the EU-US Data Privacy Framework, including the requirement for the US recipient to be on the Data Privacy Framework List.
As required by section 17A of the Data Protection Act 2018, the UK Secretary of State for Science, Innovation, and Technology laid The Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (the Adequacy Regulations) in Parliament to give effect to the UK’s adequacy decision on 21 September 2023. The Adequacy Regulations come into force on the 12 October 2023 and UK businesses will be able to rely on these regulations from then.
What should UK businesses do in response?
It should be noted that the EU-US Data Privacy Framework has been challenged (see our article here) and the current iteration of the UK-US data bridge relies on the EU-US Data Privacy Framework being in place. Therefore, if the challenge to the EU-US Data Privacy Framework is successful, it’s unclear what the impact will be on the UK-US data bridge.
UK businesses transferring data to US data importers are likely relying on the "standard contractual clauses" or other appropriate safeguard to effect a compliant transfer, so until there is greater certainty as regards the EU-US Data Privacy Framework, businesses may wish to maintain their current international transfer method. Businesses should also be aware that before they rely upon the provisions of the UK-US data bridge, additional compliance steps may be required including, for example, reviewing, and where appropriate updating, privacy notices and identifying any special category personal data subject to the transfer.
Beverley Flynn
Guy Cartwright
Jessica Gregson