October 5, 2022

Volume XII, Number 278

Advertisement

October 05, 2022

Subscribe to Latest Legal News and Analysis

October 04, 2022

Subscribe to Latest Legal News and Analysis

October 03, 2022

Subscribe to Latest Legal News and Analysis
Advertisement

UK US Data Transfers Post Brexit

The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.

Various European regulators, including the UK’s Information Commissioner’s Office (ICO), have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover.  US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.

In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:

  • An assessment of the proposed transfer’s impact, and the steps taken to mitigate any identified risks to the data, must be undertaken (a Data Transfer Impact Assessment).

  • Appropriate data transfer agreements must be effected between the UK data transferor and the US recipient, including a transfer agreement in a form issued by the ICO (an International Data Transfer Agreement or IDTA).

  • Appropriate information must be made available to the affected data subjects – in the case of employees, this may be via an appropriate privacy notice in the staff handbook.

  • The business must implement sufficient technical measures, such as data security systems and access restrictions, to protect the transferred data.

  • Clear internal procedures must be adopted, and employees involved in transfers must receive appropriate and regular training on the rules and the rights of affected data subjects.

The IDTA was introduced in March this year to replace the EU-issued form of approved transfer agreement, known as Standard Contractual Clauses (or SCCs).  Organizations that have already implemented the pre-IDTA form of SCCs to enable data transfers can continue to rely on these until March 2024 but will need to have transitioned to the new form of IDTA by this date.

Other mechanisms are available to ensure compliance, but the above steps represent the most commonly adopted set of procedures.  If investigating, the ICO will expect to see evidence of the required measures being adopted and of the implementation of appropriate internal procedures.

Importantly, these rules apply just as equally to transfers of UK-gathered personal data between group companies as they do to transfers between unrelated parties.  Unless a US parent has no involvement in or knowledge of its UK subsidiary’s HR matters, the ICO’s expectation is that appropriate data transfer mechanics need to be in place.  The ICO website itself gives the following example of a transfer caught by the rules1:

Example:  A UK company uses a centralized human resources service in the United States provided by its parent company. The UK company passes information about its employees to its parent company in connection with the HR service. This is a restricted transfer.

The UK government has recently published a response to its consultation on proposed reforms to the UK's data protection regime, to be contained in the upcoming Data Reform Bill.  This indicates that future priorities will lie in cutting compliance red tape and increasing the list of counties able to benefit from simplified data transfer procedures, which currently does not include the US.  However, these reforms will take time to implement, are currently not fully detailed, and may not in any event extend to UK-US data transfers.

Please contact us if you would like to discuss any of these points in greater detail.  We have helped a number of clients implement and document compliant data transfer mechanics.  These have included UK-US transfers, covering both the transfer mechanics and the appropriate HR procedures where the transferred data relates to UK-based employees.  We have developed tools designed to help businesses meet their obligation to provide relevant training to key employees.


FOOTNOTES

1 https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers-after-uk-exit/ 

    © 2022 Vedder PriceNational Law Review, Volume XII, Number 192
    Advertisement
    Advertisement
    Advertisement
    Advertisement

    About this Author

    Jonathan Maude Labor and Employment Law Attorney Vedder Price Law Firm
    Partner

    Jonathan Maude is a Partner at Vedder Price and a member of the Labor and Employment group in the firm’s London office.

    Mr. Maude is an experienced and well-respected practitioner working in labor and employment law. He regularly advises across the full spectrum of employment law-related issues in the contentious and noncontentious spheres with a particular emphasis on advising corporate clients on complex strategic human resource-related matters.

    Jonathan Maude's practice can be broadly broken down into the two areas...

    +44 (0)20 3667 2860
    Jonathan Edgelow, Vedder Price Law Firm, Finance & Transactions Attorney
    Counsel

    Jonathan Edgelow serves as Counsel in the London office of Vedder Price and a member of the firm’s Finance & Transactions practice group.

    Mr Edgelow has twenty years’ experience representing clients in a broad range of corporate, financial and commercial matters. This includes significant M&A experience – advising on a number of UK focussed, and cross-border, company/asset acquisitions, sales and joint-ventures.

    Mr Edgelow looks to build long-term relationships with clients, and often acts in an external general counsel role – advising on a range of day-to-day...

    44-020-3667-2925
    Advertisement
    Advertisement
    Advertisement