A busy day in the office. A complex DSAR on your desk, and yet another request to be forgotten elevated by the marketing team. Sifting through your HR and/or customer data, trying to make sense of what you are processing and why. Suddenly, a miracle, a company licensing business software that can get the work done efficiently and cost-effectively. You are about to exclaim with joy, when the realisation hits you. They are based in the US. Transfers of personal data to the US require a Transfer Risk Assessment and negotiation of special contract clauses. Your heart sinks – no-one in the business wants to do this. Sound familiar?
Not anymore! From 12 October 2023 the UK-US Data Bridge will help you make it easier (and cheaper) to transfer data across the pond. Under the EU-US Data Protection Framework (DPF), transfers to US organisation on the DPF list are deemed to meet the adequacy criteria under EU GDPR. The UK-US Data Bridge extends the application of the DPF to UK companies. As a result, the need for additional contractual provisions and extensive risk assessments before you transfer data to the US will be a thing of the past. Great news for small business – as a large proportion of business support and solution software involves US companies processing personal data on behalf of UK (and EU) data controllers.
The Framework draws on the fact that (for the most part) the US has a robust data protection regime and most data transfers between the UK and the US do not pose a serious threat to the rights of individuals in the UK or EU.
Since July 2023 companies covered by Privacy Shield have been able to apply to join the DPF (with some exceptions for insurance, banking and telecoms, as these are not regulated by the Federal Trade Commission). Going forward, the DPF will be based on self-certification. Organisations who wish to join the Framework will need to commit to the DPF Principles, and adherence to these Principles will be enforced through the “Recourse, Enforcement and Liability Principle” and oversight from various regulators. One example includes the power of the Department of Commerce to remove companies who ‘persistently’ fail to comply with DPF Principles.
However, it is important to be aware of some issues that both UK and US companies need to pay particular attention to, when relying on the Data Bridge to transfer personal data. Here, at Greenwoods, we have a great team of lawyers who can help you and your business make the most of the recent changes.
The Data Bridge is not a panacea for all transfers. Some issues have been highlighted by the Department for Science, Innovation and Technology (DSIT) as potentially more complex and requiring special attention.
Firstly, special category data still requires special protection (this will be particularly relevant to HR records, for example processing employee health data; and new technologies using biometric security). As exporter, UK companies will need to identify such data and label it as sensitive. Under DPF, US companies must treat any data as sensitive identified as such by their UK counterparts.
Secondly – the Data Bridge is only part of the compliance requirements – you still need a UK GDPR processing agreement with the client. Their standard terms may not be up to scratch and will need checking.
Another area of potential risk is the approach to automated decision making. With the advent of new technologies more complex decision making can be done by machines. AI technology – being deployed at an astounding rate, opens another can of worms (and we do recommend our Employment Law Nowcast to learn more). The DPF does not directly address the issue of automated decision making, which has implications for the UK controller if they are required to provide information to data subjects regards such decision making. The DSIT analysis suggests that this will need to be remedied through specific contractual provisions.
Finally – the DPF is already facing challenge from privacy groups (as being no more secure than previous regimes struck down over the past 10 years) – it remains to be seen whether the DPF can survive such challenges – and it is always possible that your chosen provider may be removed from the Framework – so it would be prudent to agree alternative (fall back) arrangements at the outset.
The DPF offers a chance for businesses on both sides of the Atlantic to simplify data transfer arrangements. This simplification can significantly reduce costs and contribute to an increase in transatlantic commercial relations. However, there remain some risks associated with the Framework, and we need to tread carefully when crossing the bridge.
Need help with your data protection compliance? Why not sign up for our Support for the DPO service? As little as £495 (+VAT) per month gives you access to our amazing lawyers – here to help you with data privacy queries – your virtually in-house data privacy team!
Greenwoods Legal LLP is a Limited Liability Partnership, registered in England, registered number OC306912. Our registered office is Queens House, 55-56 Lincoln’s Inn Fields, London, WC2A 3LJ. A list of the members’ names is available for inspection at our offices in Peterborough, Cambridge and London. Authorised and regulated by the Solicitors Regulation Authority, SRA number 401162. Details of the Solicitors’ Codes of Conduct can be found at www.sra.org.uk. All instructions accepted by Greenwoods Legal LLP are subject to our current Terms of Business. VAT Reg No: 161 9287 89.