Back in July this year, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF) which now provides a lawful basis for the transfer of personal data from EEA based organisations to US companies which have certified for the DPF. We wrote about that EU adequacy decision here. Our previous bulletin finished by asking, “What about UK-US data transfers?” and we now have an answer. Michelle Donelan MP, in her capacity as the UK Secretary of State for Science, Innovation and Technology, has now formally taken the decision to establish a “UK-US data bridge” (Data Bridge) and has proposed legislation to give effect to this. Draft adequacy regulations (made under section 17A of the Data Protection Act 2018) were laid before Parliament on 21 September 2023 and will come into force on 12 October 2023. From that date, organisations exporting personal data from the UK will be able to rely on the Data Bridge as the lawful basis for data transfers to US organisations which have certified under the DPF.
The Data Bridge is an extension to the DPF, which means that the same risk assessments and Executive Orders made by the US Government will apply to personal data whether it arrives from the EEA or from the UK. That is particularly useful for businesses with pan-European operations, since they can effectively assess and deal with all their transatlantic data transfers in the same way, provided that the data importer in America has opted in and been certified for the DPF, which is administered by the US Department of Commerce (and enforced by the Federal Trade Commission and the Department of Transportation).
The DPF (for EU-US data transfers) and the Data Bridge (for UK-US data transfers) therefore operate much like the Privacy Shield and the Safe Harbor regimes that came before them. It is not the case that every transfer of personal data from the EEA / UK to the US is now deemed to be “safe” but rather that transfers to US based organisations which have understood the DPF principles and been certified by the US Department of Commerce are deemed to be safe recipients of personal data. This is because those organisations, by engaging with the DPF framework, have agreed to play their part in upholding GDPR principles in respect of personal data transferred from the EEA / US. The DPF participants are listed and can be searched for online here.
If a US based data importer has not opted-in for the DPF, then data exporters in the EEA / UK will likely need to continue relying on the contractual mechanisms (sometimes referred to as “gateways”) for transferring personal data lawfully to the US: namely, the International Data Transfer Agreement (IDTA) for UK-only data exports, or the Standard Contractual Clauses (SCCs) plus the UK’s Addendum for mixed UK and EU data exports. As we mentioned in our July article, the CJEU’s judgment in the Schrems II case introduced a requirement for “data transfer impact assessments” (ie risk assessments in respect of EEA / UK data exports) where contractual measures like the IDTA or the SCCs are proposed to be used as the lawful basis for international data transfers. However, the existence of the DPF and the Data Bridge, and the commitments made by the US Government in its Executive Orders made in connection with these new frameworks, likely simplifies those assessments, especially where the details of the data transfers in question (eg the nature and volume of the data, the purpose of the transfers, the apparent risk to individuals, etc) give the transfers a low risk flavour.
Finally, the ICO has given its Opinion on the UK Government’s assessment of adequacy for the Data Bridge. The ICO’s Opinion, which is found here, concludes that “it is reasonable for the Secretary of State to conclude that the [Data Bridge] provides an adequate level of data protection…”. However, the ICO identifies “four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied”. The ICO’s four concerns are:
- The definition of “sensitive information” under the Data Bridge does not specify all the special categories of personal data set out in Article 9 of the UK GDPR. Instead, the Data Bridge includes a catch-all provision specifying, “...any other information received from a third party that is identified and treated by that party as sensitive.” Accordingly, says the ICO, UK organisations will need to identify biometric, genetic, sexual orientation and criminal offence data as sensitive data when sending it to a US certified organisation so that it will be treated as “sensitive information” under the Data Bridge. The ICO has welcomed the UK Government’s proposal to issue guidance to help data exporters with this.
- For criminal offence data, there may be some risks even where this is identified as “sensitive informationW because, according to the ICO’s research, the Data Bridge does not incorporate protections which are equivalent to those set out in the UK’s Rehabilitation of Offenders Act 1974. That Act places limits on the use of data relating to criminal convictions when those convictions have become “spent” following the relevant rehabilitation period, including the ability to request that such older / historical criminal offence data is deleted. The ICO says that it is not clear how those protections would apply once such personal data has been transferred from the UK to the US.
- The Data Bridge does not contain a substantially similar right to the one found in Article 22 of the UK GDPR, which protects individuals from being subject to decisions based solely on automated processing (where such a decision would produce legal effects or be similarly significant for an individual). In particular, says the ICO, the Data Bridge does not provide for the right to insist that an automated decision is subject to human review. This may be particularly relevant for data transfers from the UK to the US made for the purposes of operating AI systems.
- The Data Bridge contains neither a right which is substantially similar to the UK GDPR’s right to erasure (also known as the “right to be forgotten”, under Article 17 of the UK GDPR) nor an unconditional right to withdraw consent (as per Article 7 of the UK GDPR). According to the ICO, while the Data Bridge gives individuals some control over their personal data, this is not as extensive as the control they have in relation to their personal data when it is in the UK.
As such, the Information Commissioner has given a “qualified assurance to Parliament as it considers the [adequacy] regulations” proposed by the Secretary of State.
Our expectation is that the UK Parliament will pass those regulations and that the Data Bridge will indeed come into effect on 12 October 2023. However, UK based data exporters will need to keep a close eye on legal developments in this area, given the long history of transatlantic data transfer mechanisms being challenged in the courts (by Max Schrems and others).
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, September 2023