This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.
Insights Insights
| 1 minute read

UK-US Data Transfer Rules Finalized

The US has had a lot of trouble with data movement since 2018, when the EU's GDPR privacy rules came into effect. In part because of US national security/intel/surveillance efforts, the governments of EU countries do not trust that the US is "adequately" able to address data privacy.  There is a cumbersome process in place to move personal data out of the EU and into the US in commercial undertakings, but it has been plagued by uncertainty since the beginning and can be difficult to implement.  

Thanks to Brexit, however, the US has now been able to negotiate one component of data transfer that should grease the wheels of commerce a bit: the flow of data out of the UK will be subject to a "Data Bridge" program that takes effect October 12th. The UK is no longer bound by the EU's rules, and has negotiated a standalone data transfer scheme that relies on a new set of data transfer protocols between the EU and the US. The EU version of the rules, however, came under legal fire almost as soon as it was announced, and its future is uncertain.  

Why It Matters

For small companies especially, the need for 50 pages of contractual mumbo jumbo about data protection is a real impediment to doing business in the EU or UK -- especially where the legality of that contract is uncertain. It means committing to expensive and cumbersome practices without any assurance that such practices will be given legitimacy by regulators. Many smaller US companies are incentivized to forgo commercial opportunities rather than deal with the issue.  

Although a UK data transfer scheme does not solve the problem of whether newly proposed EU rules will hold water, it does make transfer easier with respect to one jurisdiction (the UK). That may be enough for some US companies, especially B2Bs that only need a handful of employees somewhere offshore and are not collecting vast amounts of consumer data.  


The U.K. government published an extensive and detailed analysis of relevant U.S. laws and practices related to the access and use of personal data by U.S. agencies for the purposes of national security and law enforcement. That analysis contributed — indeed, it was a significant contribution — to the U.K.'s finding that, as a matter of U.K. law, those U.S. laws and practices do not undermine the level of data protection for U.K. data subjects when their data is transferred to the U.S.


data security and privacy, hill_mitzi