13th October 2023
Changes to restrictions around data transfers between the UK and the US have come into force this week, providing businesses and individuals with an easier way by which to send personal data to the States. Here’s what you need to know about the new ‘Data Bridge’:
Having formally opened on 12 October, the UK-US Data Bridge provides a new legal safeguard for UK organisations by permitting the transfer of personal data to the US if the organisation receiving it is listed on the EU-US Data Privacy Framework.
The new mechanism was adopted by the European Commission (which oversees data protection in Europe) back in July and has now extended the scope of the Framework to the UK.
Prior to the Data Bridge, if data was sent to the States, additional data protection contracts were required to ensure the transfer was lawful under the UK’s General Data Protection Regulation (GDPR) laws.
Before the change, UK GDPR and its EU equivalent prohibited transfers of personal data outside of the UK/EU without adequate safeguards. Examples of such safeguards include where both organisations sign up to approved “Binding Corporate Rules” and “Standard Contractual Clauses” approved by the data protection authorities and also adequacy decisions.
Adequacy is where the data protection authorities deem that another country provides an equivalent level of protection of personal data as the UK and EU, enabling the lawful transfer of personal data to organisations in such “adequate” countries.
Up to now, the USA has never been deemed as an “adequate” country by the UK and EU data protection authorities but there were previous mechanisms in place to facilitate EU to US transfers of personal data.
The former “Safe Harbour” and “Privacy Shield” agreements (the predecessors to the Data Bridge) were invalidated by the EU over various cases, partly due to the EU Commission’s view that the US does not have the ability to protect EU data subject's personal information from the US Government's national security and surveillance powers.
To address these concerns, the Framework states that US businesses must commit to certain privacy obligations when receiving EU and UK individuals’ personal data.
If organisations in the UK wish to rely on the Data Bridge, they should look to review their privacy policies and update them to highlight they will be using the Framework for data transfers with listed US organisations. It is also recommended that risk assessments are carried out in respect of all transfers.
Not all US organisations can join the framework, however – for example, those in some financial areas such as banking and insurance and some tech areas such as telecoms. As such, UK organisations will need to check whether the recipients are listed prior to agreeing to any transfer.
In the event, the recipient is not signed up to the Framework, one of the pre-existing safeguards under UK GDPR need to be used - such as the International Data Transfer Agreement or the UK Addendum to Standard Contractual Clauses.
Abigail Sinden, Associate in the Thrings Commercial team, said: “US data transfers occur more often than we think as many marketing and software providers are based in the States. The launch of the Data Bridge means it is going to be easier for UK businesses to transfer data to the US without spending the time and cost of putting the additional safeguarding contracts in place.
“To ensure the compliance of all trans-Atlantic transfers with the law, we would always recommend for organisations to seek legal advice and ensure their data protection policies and contracts are suitably up-to-date to reflect this latest important change in regulations.”
Thrings’ Commercial lawyers are experienced in supporting businesses of all sizes through the complicated changing worlds of contracts, intellectual property and technology, helping clients to stay on top of new laws and ensure best practice. Get in contact to find out how they can help your business achieve its goals.