UK–US data bridge given the go-ahead

On September 21, Michelle Donelan, the Secretary of State for Science, Innovation and Technology, laid adequacy regulations for the UK Extension to the EU–US Data Privacy Framework (DPF). These specify that the USA provides sufficient protection for personal data when that data is transferred to the USA. The resulting data bridge (the UK government’s preferred term for ‘adequacy’) will ensure that UK-based organisations can transfer personal data to US companies who have been approved to join the UK Extension.

The data bridge will come into effect from 12 October 2023. Previously, organisations seeking to transfer personal data from the UK to the USA had to complete a transfer risk assessment (TRA). They also had to put in place some form of international data transfer mechanism, such as binding corporate rules or the UK’s international data transfer agreement (IDTA) (which, in turn, is the UK’s version of the EU standard contractual clauses). Those mechanisms can still be used if preferred, but US organisations can now choose to self-certify to the UK Extension if they also participate in the DPF and comply with its principles (see more on that here).

The DPF framework will be enforced in the USA by its Federal Trade Commission or its Department of Transportation, and will be administered by its Department of Commerce. 

The UK government has published a raft of supporting documents for the UK Extension. According to the UK government, the new data bridge will be “the most straightforward mechanism for transferring personal data [to the USA] and [will] also provide greater certainty and confidence in the [USA’s] regulatory landscape.” 

Based on the current guide to international transfers (which pre-dates the new data bridge) issued by the Information Commissioner’s Office (ICO), the process should be more straightforward. This is because a TRA seems not to be required by organisations transferring personal data to US organisations that are certified under the UK Extension to the DPF. 

Therefore, before relying on the UK Extension as a compliance mechanism, organisations will have to undertake and document checks that the certification of the relevant US organisation is in place and up to date.

Some words of warning

On initial analysis, a few potential issues jump out. 

First, there is the UK Data Protection and Digital Information (No.2) Bill (the intended future replacement for the UK Data Protection Act 2018) that is wending its way through Parliament. The government intends for the Bill to “cut down pointless paperwork”. If some current protections are watered down too much, the European Court of Justice (ECJ) could seek to review the EU’s adequacy arrangements with the UK itself, risking already-fragile trading relationships.

Second, the data bridge is built on top of the DPF – as an extension to it, rather than a mechanism in its own right. This means that the UK–US arrangements will be at risk if the DPF faces future legal challenges that successfully invalidate it. The ECJ has form in voiding EU–US deals, having done something similar in 2015 (with its decision to invalidate Safe Harbour) and 2020 (with its decision to invalidate the EU–US Privacy Shield).

Third, the UK government must heed the ICO’s Opinion, which the ICO published on the same day that regulations were laid. It warns of four areas that the government should review, where there are potential risks that individuals’ rights are not appropriately protected under the DPF:

1. A new definition of “sensitive information” that does not specify all the categories listed in Article 9 of the UK GDPR. This will risk protections not being in place, in practice for some special categories of personal data.
2. A gap in the protection of criminal offence data. Data relating to spent convictions is protected under the UK’s Rehabilitation of Offenders Act 1974, but it is unclear how these protections would apply after the data had been transferred to the USA.
3. There is no specific protection against decisions based solely on automated processing that would produce legal effects or be similarly significant to an individual.
4. There is no equivalent to the right to be forgotten nor the unconditional right to withdraw consent.

The ICO has therefore advised the government to conduct monitoring in the following four additional areas to ensure that the DPF works in practice, and that individuals’ rights are not undermined: 

1. That the requirements under the DPF, including the Principles, rights and exemptions, work as intended.
2. The implementation and compliance with the requirements of Executive Order 14086 by the US intelligence community.
3. The effectiveness of US oversight and enforcement bodies in ensuring compliance with the DPF Principles, Executive Order 14086 and resolving complaints from individuals.
4. Any significant changes in the US legal landscape.

The ICO also said that if it becomes aware of any information indicating that the UK Extension no longer provides adequate data protection, it will inform the UK Secretary of State and may recommend a review of the regulations.

Looking on the bright side

The government’s stated aims for the data bridge are to “unlock growth for businesses, allow us to share crucial information for life-saving research, and encourage science and innovation across borders”.

We shall have to wait and see for the outcomes, but in the meantime, if you need any help with how this adequacy decision affects your organisation’s setup for international data transfers – including redrafting any intra-group data transfer agreements in light of the new data bridge and the DPF – please get in touch.