Sending data to the US? What UK organisations need to know about the new UK-US data bridge
A ‘data bridge’ is about to be established between the UK and US to permit the flow of personal data without the need for ‘overseas transfer’ safeguards. This only applies where the recipient in the US is certified under a Data Privacy Framework.
From 12 October 2023 organisations in the UK can transfer personal data to businesses in the US that are certified to the UK Extension to the EU-US Data Privacy Framework. The Data Privacy Framework Program sets out principles governing how an organisation uses, collects and discloses personal data. US organisations certified under the Framework can opt in to receive data from the UK. Only when the US organisation has been certified and publicly placed on the Data Privacy Framework List (DPF List) can it receive UK personal data through the UK-US data bridge.
The data bridge replaces the previous EU-US Privacy Shield Framework established in 2016. The new regime will allow UK individuals whose personal data has been transferred to the US to seek redress if they believe their personal data has been accessed unlawfully by US authorities for national security purposes.
Exclusions
The Framework is enforced by the US Federal Trade Commission and Department of Transportation. Only organisations subject to their jurisdiction are eligible to participate in the Framework. Notably this excludes banking, insurance and telecommunications companies. UK businesses wanting to transfer personal data to these types of organisations in the US will need to rely on an additional ‘overseas transfer’ safeguard for the international data transfer. Similarly journalistic data (personal information that is gathered for publication, broadcast or other forms of public communication of journalistic material) can’t be transferred under the data bridge.
Sensitive data
There are some differences in the definitions of special category/sensitive data in the UK and US systems. For example, genetic data, data concerning sexual orientation and biometric data for the purpose of uniquely identifying a natural person are recognised as ‘special category data’ in the UK but are not considered ‘sensitive information’ under the Framework. However, organisations certified under the Framework are required to treat as sensitive any information they receive which is identified and treated as sensitive by the third party sharing the information. UK organisations who want to share these types of data with US entities from 12 October 2023 must, therefore, specifically identify the relevant data as being sensitive in nature.
Personal data relating to criminal convictions and offences, or related security measures (known as criminal offence data) should also be flagged as sensitive to a US recipient. Where criminal offence data is to be shared as part of a HR relationship, the US recipient must indicate that it’s seeking to receive such data under the Framework.
Action points for UK organisations
Regulations establishing the data bridge will come in to force on 12 October 2023. Before then, UK organisations who transfer data to the US should:
-
Check that the US entity has been certified and placed on the DPF List on the Data Privacy Framework Program website. This will show whether the US company has signed up to the UK extension www.dataprivacyframework.gov/s/participant-search.
- Put in place contractual arrangements as would be required if the US entity was in the UK or EU. For example, if you are a UK organisation appointing a US entity as a processor, you will need to appoint the US entity under contract as a processor. Alternatively, if you have existing arrangements in place based on ‘overseas transfer’ safeguards, and you have the opportunity to rely on the new data bridge, revise the existing contractual arrangements to take account of the changes.
- Review the relevant Privacy Notices for data subjects and your internal records such as the Record of Processing Activities and Technical and Organisational Measures documents. Update related IT integrations and operational data processing arrangements to take account of the changes that you put in place in reliance on the new bridge.
- If the intention is to transfer HR data, check the DPF List to ensure this type of transfer is covered by the US entity’s certification under the Data Privacy Framework.
- If the following types of data are transferred to the US entity, specifically flag to the US recipient that they are sensitive:
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person;
- data concerning sexual orientation; and
- criminal convictions and offence data.
Written by David Hall and Felicity Lush