New UK regulations: transferring personal data from the UK to the US post-Brexit

New UK regulations: transferring personal data from the UK to the US post-Brexit

First GDPR enforcement action is against a Canadian data controller

The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) (No. 2) Regulations 2019 (the “Regulations”), concerning the transfer of personal data from the UK to the US under the Privacy Shield in a no-deal Brexit situation, were adopted on 29 March 2019 and will apply on the UK’s exit from the EU.

International transfers of data under the GDPR

Under the General Data Protection Regulation (the “GDPR”), personal data may only be transferred outside the EEA or to an international organisation if certain derogations apply, or if the European Commission (the “Commission”) has determined:

  • that the country offers ‘adequate’ protection for individuals; or
  • the controller or processer has provided appropriate safeguards in accordance with the GDPR (for example, by entering into a legally binding agreement, binding appropriate rules or standard data protection clauses).

Transferring Personal Data from the EU to the US

The Commission has not made an adequacy decision in respect of the US. However in 2000, the European Commission and the US government established the ‘safe harbour’ framework as a method to provide adequate protection for transfers of personal data from the EU to the US. Following a decision by the Court of the European Union in 2015, safe harbour was invalidated. The Commission then adopted a new adequacy framework in relation to transfers of data to the US known as the EU-US Privacy Shield (the “Privacy Shield”).

This means companies in the UK may lawfully transfer personal data to companies in the US in certain cases provided that those US entities are signed up to the Privacy Shield list maintained by the US Department of Commerce. In order to be added to the list, a US company must commit to comply with Privacy Shield and must have a privacy policy complying with certain principles relating to the protection of personal data.

Transfers of data from the UK to the US post-Brexit

The UK Parliament has enacted legislation that is intended to retain certain provisions of the GDPR in domestic law following the UK’s withdrawal from the EU and adopt key decisions of the EU institutions that would allow data transfers post-Brexit that are currently permitted under EU law.

As such, the Regulations are intended to allow UK companies to continue to transfer data to the US in accordance with Privacy Shield following the UK’s exit from the EU. However, there is a new requirement that will need action as the US-based entity must include in its privacy policy a commitment to comply with the Privacy Shield principles in relation to personal data transferred from the UK.

Action point

This means therefore that companies in the UK transferring data to the US should consider whether the companies in the US to which they transfer personal data have updated their privacy notice as required by the new Regulations.

Contact our experts for further advice

View profile for Maliha CareyMaliha Carey, View profile for Joshua DayJoshua Day

Search our site