By Andrew Priest, Partner, Commercial & Technology, Birketts LLP
Q: I have heard that it is now much easier to send personal data to the US – is that correct?
A: Following the introduction of the new data bridge between the UK and the US (the ‘Bridge’), which came into force on 12 October 2023, as a UK business you should generally find that sending personal data to the US is becoming easier and more straightforward. The Bridge facilitates the transfer of personal data to the US by removing the need for specific contractual terms and alternative data transfer mechanisms, such as the International Data Transfer Agreement, which should make sending personal data more efficient and cost-effective.
However, it will not always be possible to use the Bridge. Any UK business wishing to transfer data to a US entity should ensure that the US entity is certified under the EU-US Data Privacy Framework (‘DPF’). Not all US entities will be certified. Without certification, the transfer of data to the US cannot benefit from the streamlined approach to personal data transfers provided under the Bridge.
Q: We are about to put some of our customer data into the cloud. We have been told that the data will be stored in a secure data facility in the US. Do we need to worry about this?
A: As a data controller it is your responsibility to ensure that any transfer of personal data to the US complies with the rules for overseas data transfers under UK GDPR. These rules are intended to ensure that the protection which is given to personal data in the UK is not lost when that personal data is sent overseas.
If your cloud provider in the US is certified under the DPF, your customer data can be transferred using the Bridge. US businesses who are eligible to receive data via the Bridge are obliged to maintain the same standards of data protection and privacy which apply to the data during the transfer process. In order to be registered under the DPF, US entities must comply with various principles, including obligations relating to data security.
If your cloud provider is not certified under the DPF, you will need to put in place an appropriate safeguard, such as the International Data Transfer Agreement, in order to protect the rights and freedoms of the individuals whose personal data is being transferred. You will also need to carry out an associated transfer risk assessment.
Q: Our new IT support provider is based in the US. They want us to sign a very simple contract which has no data protection provisions. Could we get into trouble if we sign the contract ‘as is’?
A: It is likely that your IT support provider will be processing personal data, so it is important to ensure that any and all data is protected under the contract. There are two aspects to this. Firstly, UK GDPR requires that a contract must contain specific provisions, including appropriate security measures which place obligations on both parties (as controller and processor) to maintain appropriate technical and organisational measures to ensure the security of any personal data being processed. Secondly, you will need to comply with the rules for the international transfer of personal data (as mentioned above) before allowing your IT support provider to access any personal data.
If you do sign a contract that does not contain the required terms under UK GDPR, you may face a fine issued by the Information Commissioner’s Office (ICO), which could be up to the higher of either 4% of your annual global turnover or £17.5 million. Aside from potential ICO fines, you are more likely to receive a warning or a reprimand, and of course any breach of data protection law could lead to significant reputational damage for your business.
If you are presented with a contract which does not contain data protection provisions, you should carefully consider what you are potentially signing up to and the possible consequences that it could have for your business.