The UK data protection rules ("UK GDPR") restrict transfers of personal data to countries that do not have adequate levels of protection such as the United States. Transfers can be made provided the parties put in place appropriate safeguards such as approved standard contractual clauses or binding corporate rules. However, these arrangements impose administrative burdens.
The European Union applies similar transfer restrictions. It recently enacted the EU-U.S. Data Privacy Framework ("DPF"), which allows transfers of personal data from the EU to U.S. organizations that have self-certified within the U.S. Department of Commerce under the DPF without the need for further arrangements or a transfer risk assessment. (Please see our Commentary, European Union and United States Reach New Agreement for Data Flow Across the Atlantic.)
The UK government has now adopted regulations (the "UK-U.S. Data Bridge") which allow UK companies to transfer personal data to the United States under the DPF. The UK-U.S. Data Bridge allows the transfer of personal data from the UK to U.S. organizations that have: (i) certified under the DPF; and (ii) opted-in to receive UK data. The DPF only applies to U.S. organizations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation and so will not apply to banking, insurance, and telecommunications companies.
There are minor differences between the wording of the UK GDPR and the DPF in relation to special category and sensitive data. As a result, genetic data, biometric data, data concerning sexual orientation, and criminal offence data must be identified by the UK organization to the U.S. recipient before transfer.
The UK government has published a factsheet providing further details of the UK-U.S. Data Bridge
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
