The UK government’s reform of data protection laws and the mechanics of cross-border data transfers has accelerated in the first half of 2022.
Various European regulators, including the UK’s Information Commissioner’s Office (ICO) have expressed an intent to more closely monitor compliance with the data transfer rules and impose potentially significant fines where breaches are uncovered – capped in the UK at the higher of £17m or 4% of group worldwide turnover. US recipients of personal data gathered in the UK (whether from a group subsidiary or otherwise) should act now to assess their current compliance and plug any gaps.
In order for personal data gathered in the UK to be transferred, in a compliant manner, to the US a number of steps must be taken:
An assessment of the proposed transfer’s impact, and the steps taken to mitigate any identified risks to the data, must be undertaken (a Data Transfer Impact Assessment).
Appropriate data transfer agreements must be effected between the UK data transferor and US recipient, including a transfer agreement in a form issued by the ICO (an International Data Transfer Agreement or IDTA).
Appropriate information must be made available to the affected data subjects – in the case of employees this may be via an appropriate privacy notice in the staff handbook.
The business must implement sufficient technical measures, such as data security systems and access restrictions, to protect the transferred data.
Clear internal procedures must be adopted, and employees involved in transfers must receive appropriate and regular training on the rules and the rights of affected data subjects.
The IDTA was introduced in March this year to replace the EU-issued form of approved transfer agreement, known as Standard Contractual Clauses (or SCCs). Organisations that have already implemented the pre-IDTA form of SCCs to enable data transfers can continue to rely on these until March 2024 but will need to have transitioned to the new form of IDTA by this date.
Other mechanisms are available to ensure compliance, but the above steps represent the most commonly adopted set of procedures. If investigating, the ICO will expect to see evidence of the required measures being adopted and of the implementation of appropriate internal procedures.
Importantly, these rules apply just as equally to transfers of UK-gathered personal data between group companies as they do to transfers between unrelated parties. Unless a US parent has no involvement in or knowledge of its UK subsidiary’s HR matters, the ICO’s expectation is that appropriate data transfer mechanics need to be in place. The ICO website itself gives the following example of a transfer caught by the rules:
Example: A UK company uses a centralised human resources service in the United States provided by its parent company. The UK company passes information about its employees to its parent company in connection with the HR service. This is a restricted transfer.
The UK government has recently published a response to its consultation on proposed reforms to the UK's data protection regime, to be contained in the upcoming Data Reform Bill. This indicates that future priorities will lie in cutting compliance red tape and increasing the list of counties able to benefit from simplified data transfer procedures, which currently does not include the US. However, these reforms will take time to implement, are currently not fully detailed and may not in any event extend to UK-US data transfers.