On Friday the 22nd of September 2023, the UK agreed its own international data transfer mechanism with the USA to cover transfers of personal data from the UK to the USA. The new transfer mechanism can be used by SaaS companies from October, instead of UK standard contractual clauses.
From the 12 October 2023, SaaS Suppliers and SaaS Customers can start to transfer UK personal data to entities located in the USA provided that the US entity is certified under the new “UK Extension to the EU-US Data Privacy Framework” (UK-US Data Bridge).
This now means that all transfers of UK personal data made to US companies certified under the UK-US Data Bridge by SaaS companies will be deemed to be to a third country that has adequate data protection laws.
Once a US organisation has been certified and is publicly placed on the DPF List they can receive EU personal data through the DPF.
What is the UK-US Data Bridge?
As result of Brexit, the UK was not included in the DPF as this only covers EU member states. The UK has therefore entered into its own agreement with the USA and this agreement is an extension to the DPF, known as the UK-US Data Bridge or the UK Extension. US organisations who have been certified to the DPF can opt in, to the UK Extension, to also receive personal data from the UK.
Once a US organisation has been certified and is publicly placed on the DPF List on the DPF website that includes the UK Extension, they can receive UK personal data through the UK-US Data Bridge.
The UK Extension of the DPF contains enforceable principles and requirements that must be certified to, and complied with, in order for a US organisation to be able to join the DPF. These principles take the form of commitments to data protection and govern how US organisations use, collect and disclose personal data.
The UK-US Data Bridge will be in force from the 12th of October and US entities can apply to be certified on the DPF website.
Once a US organisation has been certified and is publicly placed on the DPF List with the UK Extension included, they can receive UK personal data through the UK-US Data Bridge.
Which US organisations can certify under the DPF?
Only US organisations subject to the jurisdiction of the FTC or the DoT are currently eligible to participate in the DPF program. Those US organisations not subject to the jurisdiction of either the FTC or DoT — for example, banking, insurance, and telecommunications companies — are unable to participate in the DPF program at this time.
Data excluded from transfers under the DPF
Journalistic data defined by Supplemental Principle 2(b) of the DPF is not subject to the requirements of the DPF. Therefore, such data cannot be transferred under the UK-US Data Bridge.
Rules applicable to special category data
Special category and sensitive data can be shared with US organisations under the UK-US Data Bridge, however this must be correctly identified by UK organisations as such when it is being shared.
UK special category/sensitive personal data
Any UK personal data which is considered to be sensitive, and which is not covered by the definition applicable to EU personal data, it must be appropriately identified as sensitive to US organisations when transferred under the UK-US Data Bridge to ensure it receives appropriate protections.
This will include:
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person;
- data concerning sexual orientation
Where criminal offence data is proposed to be shared under the UK-US Data Bridge as part of a human resources (HR) data relationship, US recipient organisations are required to indicate that they are seeking to receive such data.
HR data is clarified under Human Resources Data Supplemental principle 9(a)(i) as:
- personal information about its employees (past or present) collected in the context of the employment relationship [transferred] to a parent, affiliate, or unaffiliated service provider in the United States participating in the EU-US DPF.
Criminal offence data may also be shared outside of a HR relationship. When sharing criminal offence data it should be indicated to the US recipient organisation that it is sensitive data requiring additional protections, in line with protections for special category or sensitive data set out above.
UK Standard Contractual Clauses
Once a US entity is certified under the UK-US Data Bridge there is no longer any legal requirement for SaaS suppliers or SaaS customers to:
- use UK standard contractual clauses to make transfers of personal data; or
- carry out Schrems II data transfer assessments; or
- check that additional safeguards are in place to protect the personal data transferred;
as such transfers will be deemed to be to an entity located in a third country that has adequate data protection laws.
However, if a SaaS company cannot rely on the UK-US Data Bridge to transfer UK personal data to the US for any reason, they will need to continue using UK standard contractual clauses or Binding Corporate Rules (BCRs) for such transfers to the USA. The requirement to carry out Schrems II data transfer assessments in addition will also continue.
What about Switzerland?
The Swiss Data Protection Authority is currently finalising the provisions of a parallel framework between Switzerland and the USA (The Swiss-US Data Privacy Framework). However, until the new Swiss-US Data Privacy Framework is finalized, Switzerland’s adequacy list will remain unchanged. Pursuant to the new Swiss Data Protection Act of the 1st of September 2023 the Swiss Federal Council has authority to decide on the adequacy of states and it will be up to the Swiss Federal Council to determine whether the USA can be added to the list in due course.
How to check registration under the UK-US Data Bridge
SaaS suppliers should check that the recipient of the UK personal data is certified with the UK-US Data Bridge. Certification can be checked on the DPF website.
It is important to check that the US organisation has signed up to both:
- the UK Extension to the EU-US Data Privacy Framework; and
- the DPF.
If any HR data will be transferred to the US organization:
- the certification of the US organisation on the DPF website must highlight this; and
- there must be a link in the company’s certification on the DPF website to the relevant privacy policy or policies (for HR data and/or non-HR data) under the “Privacy Policy” section of the record.
Actions to be taken now
Where SaaS companies transfer any UK personal data to their group companies, affiliates, customers, suppliers or sub-processors located in the USA they will need to update their legal documentation to reflect these changes.
Where a transfer of UK personal data is made to a member of a group company or affiliate located in the USA they will need to:
- apply for the US entity to be certified under the UK-US Data Bridge;
- amend the group company or affiliate’s privacy policy to include the mandatory information required under the certification rules;
- amend intercompany data processing agreements to reflect the new transfer mechanism.
Where a transfer of UK personal data is made to a customer, supplier or sub-processor located in the USA they will need to:
- amend sub-processor lists;
- amend data processing agreements;
- amend data transfer assessments.
to reflect the changes in the transfer mechanisms relied upon.
Irene Bodle is an IT lawyer specialising in SaaS agreements, GDPR and cloud computing with over 15 years experience in the IT sector. If you require assistance with any SaaS or cloud computing contracts, GDPR or any other IT legal issues please contact me:
irene.bodle@bodlelaw.com
www.bodlelaw.com
To register for my newsletter click here