The UK-US Data Bridge becomes law and will take effect on 12 October 2023. What does this means for transatlantic transfers?
On the 21 September 2023 Rt Hon Michelle Donelan MP, the UK Secretary of State for Science, Innovation and Technology (DSIT) laid adequacy regulations before Parliament to establish a data bridge with the US through the UK extension to the EU-US Data Privacy Framework. The regulations will take effect from the 12 October when organisations in the UK will be able to transfer personal data to US organisations certified to the UK extension to the EU-US DPF without the need for further safeguards. Will this finally simplify transatlantic transfers for UK businesses?
What is a Data Bridge?
A data bridge is the UK Government's preferred term for "adequacy". It permits the free flow of personal data from the UK to another country without the need for further safeguards. A data bridge is not reciprocal, but it is a designed to ensure the level of protection for UK individual's personal data under UK GDPR is maintained. The UK-US Data Bridge is an extension (the UK Extension) of the EU-US Data Privacy Framework, the adequacy decision adopted by the European Commission for transfers to the US which came into force on 11 July 2023
The Data Privacy Framework
The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US companies, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC). It is a set of enforceable principles and requirements in relation to data protection that must be certified to, and complied with, in order for US organisations to be able to join the DPF. For the European Commission to grant this adequacy decision, significant changes were made to US intelligence gathering activities. In particular, Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”) created an independent and binding redress mechanism which can be accessed by individuals whose personal data is transferred from qualifying states.
This means that the same Executive Orders made by the US Government will also apply to personal data from the UK in the same way as the EU. Provided that the data recipient in the US has been certified for the DPF, data can be freely transfer from the EU and now the UK under the UK Extension. This should simplify transfer procedures in Europe wide companies.
Types of organisation included and excluded under the UK Extension
UK organisations cannot simply transfer personal data to any data recipient in the US. The relevant recipient must appear on the DPF List and be certified to the UK Extension. Only US organisations subject to the jurisdiction of the US FTC or the US DoT are currently eligible. The US organisations who are not subject to the jurisdiction of either the FTC or DoT include (generally speaking) banking, insurance, and telecommunications companies.
Categories of data excluded from transfer under the UK Extension
UK organisations should also carefully review the nature of their transfers and consider if the data to be transferred is covered by the UK Extension. For example certain journalistic personal data may not be transferred and it will also be necessary to actively indicate to the US data recipient that it must treat genetic data, biometric data for the purposes of uniquely identifying a natural person and data concerning sexual orientation as "sensitive information". This is because while these are special categories of data under Article 9(1) of UK GDPR they are unhelpfully not designated as sensitive information under the UK Extension. There are also further specific requirements for certain criminal offence data.
The ICO's Opinion
The ICO has issued its Opinion on the UK Government’s assessment of adequacy for the Data Bridge, and concludes that “it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection…”. However, the ICO highlights “four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied”. These four concerns are as follows:
- the definition of “sensitive information” (as set out above). The ICO has welcomed a proposal from DSIT to issue guidance to help UK organisations in identifying sensitive information.
- the potential conflict between the UK's approach to criminal offence data and that of the US. Equivalent protections may not exist for certain types of criminal offence data in the US (for example the UK’s Rehabilitation of Offenders Act 1974 places limits on the use of data relating to "spent" criminal convictions). The ICO says that it is not clear how those protections would apply once such personal data has been transferred from the UK to the US.
- the lack of a substantially similar right to the protections under Article 22 of the UK GDPR, which protects individuals from being subject to decisions based solely on automated processing. The ICO highlights that the UK Extension does not provide for the right to insist that an automated decision is subject to human review.
- the lack of substantially similar rights to Articles 7 (unconditional right to withdraw consent) and 17 (right to be forgotten) of the UK GDPR. The ICO considers that while the UK Extension gives individuals some control over their personal data, this is not as extensive as the control they have in relation to their personal data when it is in the UK.
Therefore the ICO has given a “qualified assurance to Parliament as it considers the regulations” proposed by the Secretary of State. Despite the ICO's qualified assurance, we expect that the UK Parliament will pass those regulations and that the Data Bridge will come into effect on 12 October 2023.
What steps should UK organisations take?
Organisations transferring personal data from the UK to the US should now check whether the transfers could benefit from the new Data Bridge. The following checks should be made:
- is the US organisation registered for the DPF. This can be checked here using the participant search,
- confirm that said organisation has signed up to the UK Extension,
- confirm that the categories of data being transferred are covered, and
- review the US organisation’s privacy policies.
In addition, UK organisations will need to update their privacy policies and ROPAs to reflect any changes in how they transfer personal data to the US.
What if the Data Bridge does not apply?
If you cannot rely on the UK Extension to transfer personal data to the US, your organisation will have to revert to one of the pre-existing appropriate safeguards (e.g., the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) or rely on one of the available derogations under Article 49 of the UK GDPR. You may also need to carry out a transfer risk assessment to validate your transfers.
However, there may be an additional benefit to the Data Bridge. Currently UK organisations use (and if the Data Bridge does not apply to them may continue to use) alternative transfer mechanisms to transfer personal data from the UK to the US and a time consuming, complex and often costly transfer risk assessment (TRA) needs to be carried out. The TRA has to consider whether the relevant protections under the UK GDPR would be undermined by the laws and practices of the third country.
DSIT has published an extensive analysis of relevant US laws related to the access and use of personal data by US agencies for the purposes of national security and law enforcement (and this assessment formed the basis of the finding of adequacy via the Data Bridge).This analysis is still relevant for transfers made on the basis of alternative transfer mechanisms and should inform TRAs accordingly.
Further legal challenges
UK Organisations will need to keep abreast of developments in this area, given the long history of transatlantic data transfer mechanisms (Safe Harbour and Privacy Shield) being challenged in the European Courts. It is arguably only a matter of time until we face a Schrems III and another article [cross reference ] in this edition shows that challenges to the DPF have already started.
Any challenge could take several months or even years, but there is a real risk that the European Commission could invalidate the DPF in the future. If this happens it’s not clear what the consequence would be for the UK-US Data Bridge. In this period of uncertainty, UK organisations may want to continue to rely on their existing safeguard measures.