On 12 October 2023, the Data Protection (Adequacy) (United States of America) Regulations 2023 and the UK-US ‘data bridge' (‘Bridge') will come into effect.
This will mean that, under the terms of the revised EU-US Data Privacy Framework (‘DPF'), and the UK extension to it, transfers of personal data from the UK to the US will be deemed to meet the test of adequacy for the purposes of the UK GDPR and the Data Protection Act 2018.
What is the Bridge?
A data bridge is a term to describe a non-reciprocal mechanism which allows the flow of personal data from one country to another, reducing barriers for data transfer. In this case, the Bridge is an extension to the DPF. The DPF enables personal data to be transferred from the EU to US entities that are certified under the DPF and comply with its various principles and requirements, without the need for additional data protection safeguards.
The requirement for US entities to be certified under the DPF will also apply to the Bridge. UK businesses can check the certification status of US entities by searching the DPF list.
How will the Bridge affect UK businesses?
Following the previous Privacy Shield mechanism being ruled not to provide adequate safeguards in a July 2020 judgement known as ‘Schrems II', cross border transfers have been restricted. As such, UK businesses needing to transfer data to the US have had to use alternative data transfer mechanisms, such as the International Data Transfer Agreement and International Data Transfer Addendum to the European Commission's Standard Contractual Clauses, to ensure that adequate levels of protection and privacy are provided when personal data is transferred.
The Bridge aims to ease the burden on UK businesses by streamlining the transfer of personal data from UK businesses to the US, removing the need for these provisions and mechanisms, without compromising on security and protection.
This should accelerate the transfer of personal data to the US, resulting in more efficient transatlantic data flows and consequently reducing costs. Expediting the process in this way may also have the knock-on effect of encouraging more business between UK and US companies.
Despite finding it reasonable to conclude that the Bridge provides an adequate level of data protection, the Information Commissioner's Office (‘ICO') has identified specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied. In particular, the ICO has highlighted that the definition of ‘sensitive information' under the Bridge does not specify all the categories listed in Article 9 of the UK GDPR. Instead, the Bridge includes a catch-all provision specifying, “…any other information received from a third party that is identified and treated by that party as sensitive.”
Therefore, UK businesses transferring sensitive personal data to the US must identify any biometric, genetic, sexual orientation, or criminal offence data as ‘sensitive data' for that information to be treated accordingly
The ICO has also made recommendations to Government that they should monitor the processing of criminal spent conviction data, automated processing, the right to be forgotten, and the unconditional right to withdraw consent to ensure that the differences in UK and US law do not result in a reduction of protections for data subjects.
It remains to be seen whether the Bridge may face legal challenges by privacy campaigners such as Max Schrems and the company which he founded, NOYB – European Center for Digital Rights. Schrems successfully challenged both previous EU-US data sharing frameworks: Safe Harbor in Schrems I and Privacy Shield in Schrems II.
The Birketts view
Although the Bridge is not free from criticism and potential legal challenges, UK businesses should benefit from more efficient data flows across the Atlantic once the Bridge is introduced.
UK businesses should consider reviewing their privacy policies and data processing activities to reflect their reliance on the Bridge. In addition, it is important to ensure that the US recipient is DPF certified, and that any sensitive data being transferred is correctly identified.
Owing to the issues highlighted by the ICO, and to ensure that the differences in UK and US law do not reduce protections for data subjects, UK businesses should also consider putting in place further contract terms with US entities to enforce data subjects' right to be forgotten, right to withdraw consent and rights surrounding automated processing.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.