The ICO issues guidance aiming to support organisations conducting personal data transfers to the US using an Article 46 UK GDPR mechanism to those organisations that are not self-certified under the UK Extension to the EU-US DPF.
Transferring personal information across borders has become a crucial aspect of our interconnected world. In the digital landscape, many organisations transfer personal data to the US as part of their day-to-day business. For organisations in the United Kingdom, this means that they need to ensure compliance with the UK General Data Protection Regulation (GDPR). According to the ICO, when transferring personal data to the US using the transfer mechanisms outlined in Article 46 of the UK-GDPR, it is necessary to complete a transfer risk assessment. Examples of this include the ICO’s International Data Transfer Agreement (IDTA), the Addendum to the EU’s Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs). By conducting a thorough transfer risk assessment, organisations can ensure compliance with the UK GDPR and protect personal data when transferring it to the US. This now only applies to data transfers to those organisations that are not self-certified under the UK Extension to the EU-US Data Privacy Framework (DPF).
The International Data Transfer Agreement and Guidance gives details on compliance requirements.
The International Data Transfer Agreement and Guidance provided by the ICO offers organisations a framework to navigate the complexities of transferring personal data to third countries, including the US. The guidance emphasises the necessity for an adequate level of data protection in the receiving country, ensuring the data subject’s rights are upheld. The ICO advises organisations to carefully evaluate the risks associated with the transfer, taking into consideration factors such as the legal and political environment, the specific protections offered to personal data, and any supplementary measures that may need to be implemented to ensure the adequate protection of individuals’ rights and freedoms. This risk assessment should be comprehensive and robust, considering both the nature of the data being transferred and the potential implications for individuals’ privacy and data protection rights.
Organisations may have to consider alternative transfer mechanisms along with other supplementary measures to ensure compliance.
Since the Schrems II ruling by the Court of Justice of the European Union, the formerly effective EU-US Privacy Shield is no longer compliant with UK GDPR. As a result, on 10 July 2023 the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework, concluding that the US ensures an adequate level of protection for personal data transferred from the EU to US companies participating in the EU-US Data Privacy Framework. In October 2023, the UK Government updated the list of adequate territories after making adequacy regulations for the UK Extension to EU-US Data Privacy Framework, known as the bridge. However, organisations who will transfer personal data to companies that are not participating in the bridge will still need to adopt alternative legal mechanisms for international transfers such as SCCs. This mechanism allocates responsibilities and obligations between the data exporter and importer through pre-approved contracts. As a result, SCCs are essential for UK GDPR compliant international transfers in this context. Organisations may also have to consider implementing strong encryption, pseudonymization techniques, or stricter access controls as additional security measures when transferring data to the US.
Also, with the International Data Transfer Agreement’s emphasis on adequate data protection levels in recipient countries, UK organisations will be required to evaluate the respective national security and surveillance laws to ensure compliance with UK GDPR. For organisations transferring data to the US, legislation such as the Foreign Intelligence Surveillance Act (FISA) or the Clarifying Lawful Overseas Use of Data Act (CLOUD Act) must be considered and evaluated carefully, particularly with US organisations which are not certified under US data bridge.
Organisations must be prepared to monitor for the evolution of laws and security requirements
Transferring personal information to the US under UK GDPR requires organisations to carefully navigate the complex landscape of international data transfers. By adhering to the International Data Transfer Agreement and Guidance provided by the ICO organisations can ensure compliance with UK GDPR while protecting the privacy rights of data subjects. Continuous assessment and vigilance in monitoring legal developments and security practices are crucial for organisations to maintain compliance in this evolving regulatory landscape.
