Bridging the gap: the UK Extension to the EU-US Data Privacy Framework
On 12 October 2023, and as reported in our previous article, the UK Government published The Data Protection (Adequacy) (United States of America) Regulations 2023 (UK-US Data Bridge Regulations). The UK-US Data Bridge Regulations adopts an adequacy decision between the UK and US (UK-US Data Bridge) and offers UK businesses a streamlined option for transferring personal data to certified organisations in the US without the need for appropriate safeguards.
What is a data bridge?
A data bridge describes the flow of personal data without the need for additional safeguards and is the UK’s preferred term for ‘adequacy’. A data bridge ensures that the recipient business receiving personal data has an adequate (but not identical) level of data protection as required under the UK GDPR.
As previously reported, the European Commission adopted the EU-US Data Privacy Framework (DPF) providing for the safe transfer of personal data from EEA-based businesses to US businesses that are certified under the DPF. The UK-US Data Bridge will operate as an extension of the DPF with US entities able to extend their certification to include UK personal data. In practical terms, this means a business operating in the UK and EU and/or providing goods or services to UK and EU data subjects may rely on the DPF and the UK extension to transfer such personal data to the US without the need for the EU’s Standard Contractual Clauses (SCCs), the UK’s International Data Transfer Agreement (IDTA) or any other appropriate safeguard.
Possible risks?
The Information Commissioner’s Office (ICO) has commented on the UK-US Data Bridge and that the UK-US Data Bridge Regulations may still present risks to UK data subjects if the protections identified are not properly applied. The ICO identified several issues with the most material as follows:
- Journalistic data as defined by Supplemental Principle 2(b) of the DPF is not subject to the requirements of the DPF. As a result, such journalistic data cannot be transferred under the UK-US Data Bridge;
- The UK-US Data Bridge does not provide for similar rights to UK data subjects (e.g., right to be forgotten) meaning that UK data subjects may not have the same level of control over their personal data as they have under the UK GDPR; and
- The definition of ‘sensitive information’ in the UK-US Data Bridge does not mirror the definition of ‘special categories of personal data’ under Article 9(1), UK GDPR. This means that UK businesses may need to expressly communicate to the receiving business what it considers to be ‘sensitive information’ when sharing such data to ensure specific types of special category data receive the appropriate protection by the receiving business.
Impact and reliance on the UK-US Data Bridge
It is hoped that the UK-US Data Bridge will stimulate economic growth between the countries as it will reduce red tape improving the ease that UK businesses can share personal data with businesses in the US (e.g., with US-based service providers or for intra-group transfers to affiliates operating in the same corporate group). For UK businesses looking to rely on the UK-US Data Bridge, it will need to confirm that the receiving US business is on the DPF List and signed up to the UK extension to the DPF. If transferring HR data, it will also need to check that their certification includes ‘HR Data’. If you cannot rely on the UK-US Data Bridge for your international transfer, you will need to revert to the pre-existing appropriate safeguards (Article 46, UK GDPR) or one of the derogations (Article 49, UK GDPR).
Comment
The UK-US Data Bridge is a welcome development for UK businesses that are required to transfer personal data to the US. It provides a streamlined process yet in theory ensures an adequate level of protection for data subjects. UK businesses should be reviewing their privacy policies/notices and Record of Processing Activities (ROPA) and updating them as required to reflect any changes in how they transfer UK personal data to the US. Further, and if relying on either the DPF or UK-US Data Bridge, you will need to review the DPF List annually to ensure that the US business receiving the personal data has been recertified.