Companies often need to transfer personal data to other countries while conducting their business operations. Since personal data is not everywhere reliably protected by law, there are plenty of requirements for its legal transfer. In this article, we share how to transfer data from the UK using recently adopted instruments.
To begin with, the UK GDPR adopted after the UK Brexit basically duplicates the provisions of the European GDPR, which is why the data transfer requirements from the UK to other countries are the same as for the transfers from the EU to third countries.
First of all, the data can be transferred based on the adequacy decision or subject to appropriate safeguards. Among these safeguards, in particular, are binding corporate rules, standard data protection clauses, code of conduct, and certification mechanism. There are specific derogations when, for example, the transfer is necessary for important reasons of public interest.
Transfers on the basis of an adequacy decision
Adequacy decisions, also referred to as “data bridges” in the UK, confirm that a particular country ensures an adequate level of personal data protection and, therefore, the transfer of data there is allowed freely, without the need to implement appropriate safeguards.
Currently, the UK has granted adequacy to the European Economic Area (EEA), Israel, Japan, Switzerland, and some other countries.
What about the US?
There is the UK Extension to the EU-US DPF for this purpose.
In July 2023, the European Commission adopted an adequacy decision concerning the US commercial organisations participating in the EU-US Data Privacy Framework (DPF).
On 12 October 2023, the UK adequacy regulations for the US entered into force. They are officially named the UK Extension to the EU-US Data Privacy Framework (UK Extension).
What does it mean for the UK companies?
They can freely transfer personal data to US companies, certified under the UK Extension, without the need to implement appropriate safeguards and conduct transfer impact assessment.
- You can check the list of certified organisations on the DPF website.
It is, for sure, great news, which expands the possibilities for personal data transfer to the US and makes the EU and UK companies equal in this regard.
How can UK companies be certified under the UK Extension?
If the organisation has already self-certified under the DPF, it may choose to be also certified under the UK Extension by taking additional responsibilities concerning the UK and reporting this decision to the US Department of Commerce (DoC).
What are the exceptions?
- Only US organisations subject to the jurisdiction of the US FTC or the US DoT are currently eligible to participate in the DPF program. Therefore, banking, insurance, and telecommunications companies are unable to participate in the DPF program at this time.
- Journalistic data is not subject to the requirements of the EU-US DPF (the Journalistic Exceptions Supplemental Principle 2(b)).
- To receive information related to HR processes based on the DPF, US companies must notify the DoC of such intent and ensure that they have implemented appropriate measures to obtain such data (Human Resources Data Supplemental principle 9(a)(i)).
How can the data be transferred to a US company not certified under the UK Extension or to a company in a third country not granted adequacy?
In such cases, appropriate safeguards are used. Standard data protection (or contractual) clauses (SCCs) are the most common safeguards.
When the UK was a part of the US, its organisations used SCCs, approved by the European Commission. After Brexit in 2020, the UK continued to use them.
Meanwhile, in 2021, the European Commission approved new SCCs, but since the UK was no longer part of the EU, it was still using the old version.
Then, in 2022, the UK also adopted new SCCs. In particular, the International Data Transfer Agreement (IDTA) and the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers (Addendum).
!The Transitional Provisions state that contracts concluded on or before 21 September 2022 on the basis of any Transitional Standard Clauses (old European SCCs) shall continue to provide appropriate safeguards until 21 March 2024.
Therefore, the companies in such a situation need to start thinking about signing new agreements, particularly the IDTA or the UK Addendum.
What is the difference between the IDTA and the UK Addendum?
Basically, the IDTA is a UK version of the new European SCCs for data transfers to third countries. Meanwhile, the UK Addendum is a supplement to the new European SCCs.
The main difference between the IDTA and new European SCCs is that the IDTA does not follow a “modular” format. Therefore, it does not cover the requirements of Article 28 of the UK GDPR concerning processors’ obligations and is used only for data transfer. That is why an additional linked agreement is needed to regulate the relations between the processor and controller.
Which approach should you adopt?
Organisations that have already implemented the new EU SCCs for data transfers may find adopting the UK Addendum a quicker and simpler method rather than adopting the IDTA.
To sum up, data transfers from the UK must comply with the requirements of the UK GDPR. To ensure this, it is necessary to be familiar with the new mechanisms in this field, particularly the UK Extension and the IDTA & the UK Addendum.
Proper implementation of these instruments may raise plenty of questions, therefore, our team is ready to help you ensure that data is transferred in compliance with international data protection regulations.