In an official announcement, the UK government has solidified its participation in a transatlantic data transfer arrangement between the European Union and the United States, unveiling it as the "UK-US Data Bridge."
Earlier in June, the UK and US laid the foundation for this agreement, and on 21st September, the UK government, led by Secretary of State Michelle Donelan, formally advanced this pivotal deal. The primary objective of this initiative is to streamline digital commerce by enabling the export of UK citizens' data to the US, assuring an adequate level of data protection in alignment with the UK's data protection regulations, once it crosses the Atlantic.
The Department for Science, Innovation, and Technology (DSIT) elaborated, stating, "Adequacy regulations have been presented in Parliament today (21st September) to implement this decision. Starting from 12th October, UK businesses and organisations will have the capability to utilise this data bridge to securely and reliably transmit personal data to certified US entities."
The necessity for the UK to establish its independent data sharing arrangement with the US arises from its departure from the European Union. It's worth noting the irony that, in the realm of data transfer agreements, Brexit implies the UK drawing upon and extending a framework established by the EU, over which UK negotiators had no influence.
The DSIT stated in its communication that "the Secretary of State has made a determination that the extension of the EU-US Data Privacy Framework to the UK does not compromise the level of data protection afforded to UK data subjects when their data is transmitted to the US. This determination is rooted in the belief that the framework upholds stringent privacy standards for UK personal data."
Furthermore, the decision finds reinforcement in the action taken by the US Attorney General on 18th September, designating the UK as a 'qualifying state' under Executive Order 14086. This designation extends access to a newly established redress mechanism for all UK individuals whose personal data has been transferred to the US under various transfer mechanisms, including those outlined in UK GDPR Articles 46 and 49, regulating the transfer of personal data to a third country and the safeguards that need to be in place in the absence of adequacy regulations.
The UK-US Data Bridge, also known as the "UK Extension of the EU-US Data Privacy Framework (DPF), enables US companies certified under the EU framework to enrol for the receipt of UK personal data through the DPF, as previously reported on our blogpost Smoother Sailing for EU-US Data Transfers after GDPR Adequacy Decision.
The UK government's official communication also states that in establishing the data bridge between the UK and the US, extensive measures have been taken to safeguard the level of data protection guaranteed by the UK GDPR for individuals in the UK. This assurance includes a meticulous evaluation of personal data protection within the DPF and the broader legal and regulatory framework. The data bridge is accordingly designed to uphold these high standards by requiring certified US organisations receiving UK data to maintain them.
The paramount concern throughout this initiative is the protection of individual's privacy, particularly regarding their sensitive data. The data bridge consequently aims to ensure that the level of protection afforded to personal data under the UK GDPR remains intact. Importantly, however, the data bridge does not relieve UK companies of their responsibilities under UK data protection legislation, especially concerning the safeguarding of sensitive health data (see our recent blogpost Navigating Health Data Compliance: A Roadmap for Employers) and upholding data subject rights when transferring data to other organisations. Instead, it ensures that these rigorous standards of protection and privacy accompany the data when it leaves the UK and reaches certified US organisations.
While the decision to facilitate the flow of UK data to the US is generally viewed as a logical step to address certain Brexit-related challenges, concerns arise regarding the sustainability of this arrangement. The DPF faces potential legal challenges within the EU, with data protection experts contending that it falls short of safeguarding data to the requisite standard. The EU's top court invalidated the previous two EU-US data transfer agreements in 2015 and 2020. If the DPF were to face a similar fate, questions arise concerning the fate of the UK's appended arrangement. See a more detailed analysis in our previous blogpost Imminent US adequacy decision to be met by legal challenges from privacy advocates.
Notably, the absence of EU court jurisdiction in the UK may enable the UK's extended bridge to stand alone. This prospect is bolstered by the concurrent relaxation of domestic privacy standards by the UK government. It is worth noting that the UK's data-sharing endeavours post-Brexit include its earlier adequacy decision with South Korea in July 2022.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.