Other Data Transfer Mechanisms: Beyond GDPR

While the General Data Protection Regulation (GDPR) governs data transfers involving EU citizens, there are scenarios where GDPR does not apply, such as data transfers between the UK and non-EU countries like the US or Switzerland. Understanding the applicable frameworks and mechanisms in these cases is essential for businesses managing international data flows.

Data Transfers Between the UK and the US

The UK's data protection regime, governed by the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018, shares many similarities with the EU-GDPR. However, the UK has its own mechanisms for data transfers to the US, as the EU-US Data Privacy Framework does not apply to the UK.

Key Mechanisms:

  • UK-US Data Bridge: The UK and the US are in discussions to establish a UK-US adequacy framework similar to the EU-US Data Privacy Framework.
  • Standard Contractual Clauses (SCCs): SCCs are a common mechanism to ensure compliance when transferring data from the UK to the US.
  • Binding Corporate Rules (BCRs): For multinational corporations, BCRs allow the transfer of data within a corporate group.
  • Consent: Explicit consent from data subjects can be used for specific transfers.

Data Transfers Between the UK and Switzerland

Switzerland is not an EU member but follows its own data protection law aligned with GDPR principles. The Federal Act on Data Protection (FADP) governs personal data transfers involving Swiss residents.

Transfer Mechanisms:

  • Adequacy Decision: The UK recognizes Switzerland as an adequate jurisdiction for data protection.
  • Swiss SCCs: When adequacy is not applicable, Swiss SCCs or equivalent agreements can be implemented.
  • Data Protection Agreements: Businesses often draft tailored agreements to align with Swiss and UK data protection laws.

Practical Considerations for Businesses

  • Risk Assessments: Evaluate the data protection risks associated with transfers and implement additional measures where necessary.
  • Local Regulatory Guidance: Keep track of updates from the ICO, FTC, and FDPIC to ensure compliance.
  • Documentation and Training: Maintain comprehensive records and train employees on data protection practices.

Last updated: January 28, 2025