The UK Government has adopted an adequacy decision, or “data bridge” as the UK Government prefers to call them, for personal data transfers to the US. The adequacy decision was laid before Parliament on 21 September 2023 and comes into force on 12 October 2023.
What does the UK-US data bridge mean?
The UK Government has determined that the US provides adequate levels of protection of personal data such that the protections enjoyed in the UK under the UK GDPR will not be undermined. Once in force, personal data transfers in scope of the data bridge will no longer require the adoption of alternative safeguards such as the ICO’s International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.
No doubt, the decision will be welcomed by many UK businesses due to its potential to facilitate cross-Atlantic trade and reduce the administrative burden by following the approach in the EU.
What organisations are in scope?
The data bridge is a UK extension (“UK Extension”) to the EU-US Data Privacy Framework (DPF), an opt-in certification scheme for US organisations, which took effect in July 2023. The US Federal Trade Commission (FTC) and the US Department of Transportation (DoT) are responsible for enforcing the DPF whilst the Department of Commerce (DoC) administers the DPF.
In-scope US organisations must voluntarily self-certify to the UK Extension. Once they are certified and have been publicly placed onto the Data Privacy Framework List on the DPF website, US organisations can receive UK personal data through the UK-US data bridge. Only those US organisations subject to the jurisdiction of the FTC or the DoT can self-certify, which excludes banking, insurance, and telecoms companies from the scheme.
What data can be shared?
Under the data bridge, personal data – including special category and sensitive data – may be shared. However, UK organisations must ensure that special category or sensitive information is labelled/identified as such to ensure its adequate protection. Journalistic data is not subject to the EU-US DPF and cannot be transferred under the UK-US data bridge.
Criminal offence data may also be shared under the US-UK data bridge. If sharing such data as part of a human resources data relationship, the US recipient organisation must indicate they are seeking to receive such data under the DPF. When sharing such data outside of a HR relationship the UK organisation should indicate to the US recipient organisation that it is sensitive data that requires additional protections.
What protections are in place for UK individuals?
Organisations under the DPF agree to comply with a series of enforceable principles providing protections for personal data and must have a published privacy policy which outlines their approach. Additionally, the US has designated the UK as a qualifying state under the US Executive Order 14086 (Enhancing Safeguards for United States Signals Intelligence Activities) to allow UK individuals access to an independent and binding redress mechanism if:
- the UK individual’s data has been transferred to the US under any transfer mechanism; and
- the individual believes that their personal data has been accessed unlawfully by US authorities for national security purposes.
The availability of this redress mechanism is a key safeguard that the US introduced in light of concerns raised in the Schrems II judgement in 2020 and which led to the scrapping of the previous Privacy Shield framework.
Are there any concerns with the DPF?
The Information Commissioner’s Office (“ICO”)
The UK ICO issued an opinion earlier this year on the UK extension to the DFP, issuing a “quailed assurance” and, in doing so, raised four main concerns:
- Not all categories of data listed in Article 9 of the GDPR fall into the definition of sensitive information under the UK extension, and with there not being a requirement for UK organisations to identify information as sensitive, there is a risk that protections may not be applied where necessary;
- The protections provided do not match those under, for example, the UK’s rehabilitation of Offenders Act 1974, creating a risk around criminal offence data;
- The UK extension does not provide a right to obtain a review of an automated decision by a human; and
- The UK extension does it provide a right to be forgotten, nor an unconditional right to withdraw consent.
Legal challenges
The UK extension is an “add on” to the existing EU Framework. With the EU framework set to face legal challenge (Schrems III?), there are concerns as to the soundness of the framework should the challenge be successful.
Key takeaways
UK organisations seeking to rely on the DPF from 12 October 2023 should:
- Confirm that the US recipient organisation is an active PDF participant.
- Confirm the US recipient organisation has signed up to the UK extension of the DPF.
- If HR data is to be transferred, confirm that such data is covered by the US organisation’s DPF commitments.
- Label any special category or sensitive data as such.
- Update their privacy policy and record of processing activities to reflect changes to data transfer to the US.
Where organisations rely on the DPF, they will not be required to undertake a transfer impact assessment.
UK organisations that cannot rely on the DPF can continue to use existing alternative safeguards.
How can we help?
Should you require assistance with transfers of personal data to the US, please contact a member of our specialist Data Protection and Cyber Security team.
This article was co-written by Helen McBrierty, Trainee Solicitor.