What’s this all about?
The UK government recently announced and put into motion the next steps concerning the so-called “UK-US Data Bridge” which aim at providing smoother personal data flows from the UK to the US, which this article looks at in brief.
What has the UK government announced?
The UK government Department for Science, Innovation, and Technology recently announced that a decision had been taken to establish the UK-US Data Bridge and accordingly so-called “Adequacy Regulations” were put forward in the UK Parliament to effect this.
What the UK has done is to officially determine that the so-called “UK Extension to the EU-US Data Privacy Framework” does not undermine the level of data protection for UK data subjects when their personal data is transferred to the US.
What does “data bridge” mean?
The term “data bridge” is UK government shorthand for “adequacy” which is an official decision to allow personal data to flow more freely from the UK to another country without the need for further data protection safeguards. As the UK government also points out in its announcement: “[d]ata bridges are not reciprocal, therefore they do not allow the free flow of data from other countries to the UK. Instead, a data bridge ensures that the level of protection for UK individuals’ personal data under UK GDPR is maintained.”
What is the EU-US Data Privacy Framework?
The EU-US Data Privacy Framework (“the DPF”) came into effect earlier this summer and includes, amongst other things, a set of enforceable principles and requirements that must be certified to, and complied with, in order for US organizations to be able to join the DPF. These principles take the form of commitments to data protection and govern how an organization uses, collects and discloses personal data.
The DPF operates as a self-certification scheme for US companies and is enforced by the (US) Federal Trade Commission and Department of Transportation, and administered by the (US) Department of Commerce.
The “data bridge” for the so-called “UK Extension to the Data Privacy Framework” allows certified US companies to sign-up to be able to receive UK personal data through the framework.
The US has made a “designation” of the UK as a so-called “qualifying state”. This relates to US Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”) which created an independent and binding redress mechanism which can be accessed by individuals whose personal data is transferred from qualifying states. The UK’s designation as a qualifying state allows UK individuals to seek redress if they believe their personal data was collected or processed through US signals intelligence in a manner that violated applicable US law.
According to the UK government: “[d]esignation by the US of the UK was an important factor that led to the data bridge assessment being successful, providing increased safeguards and redress mechanisms for UK individuals.”
What does this mean for organizations and individuals?
In short, this means that:
- UK organizations will be able to use the UK-US Data Bridge to safely and securely transfer personal data to certified organizations in the US; and,
- UK individuals whose personal data has been transferred to the US under any data transfer mechanism (including those set out under UK GDPR Articles 46 and 49) will be able to have access to the newly established redress mechanism in the event that they believe that their personal data has been accessed unlawfully by US authorities for national security purposes.
When will this come into effect?
The UK-US Data Bridge Adequacy Regulations are in force from 12 October 2023.
What about the UK Information Commissioner’s Office?
The ICO provided advice to the UK government during its assessment of the “UK Extension to the EU-US Data Privacy Framework” and, following the government laying down the adequacy regulations, the ICO published an official Opinion, primarily to assist the UK Parliament to consider alongside the adequacy regulations put before the UK Parliament. In the Opinion the ICO has set out its views on the process and the government’s conclusions where the ICO states that there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied, which the Opinion details, and which the ICO says should be monitored closely.
What are the takeaways?
If your organization transfers personal data from the UK to the US it should consider contacting the US organizations to whom personal data is being transferred to in order to determine whether advantage can be taken of the UK-US Data Bridge. Organizations that wish to participate in the UK Extension to the EU-US Data Privacy Framework must also participate in the EU-US DPF and comply with its principles.
If those US companies do sign up/self-certify to the UK Extension to the EU-US Data Privacy Framework (which is likely to entail quite a bit of work) then consideration will also need to be given as to what to do about existing arrangements under which data is transferred such as Standard Contractual Clauses (and their related Transfer Impact Assessments).
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
See our other articles, a podcast and a film about international data transfers here: https://www.corderycompliance.com/scce-eu-us-dpf-0923-09/, here: https://www.corderycompliance.com/dpa-0823-03/, here: https://www.corderycompliance.com/eu-us-dpf-0723-5/, https://www.corderycompliance.com/eu-dpa-rr-0423-04-5/, here: https://www.corderycompliance.com/ico-dtragt-01/, here: https://www.corderycompliance.com/datatransfers-ukdates/, and here: https://www.corderycompliance.com/uk-idta/.
The UK government’s official announcement can be found here: https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/uk-us-data-bridge-explainer.
The ICO’s official Opinion on “The UK Government’s assessment of adequacy for the UK Extension to the EU-US Data Privacy Framework for the general processing of personal data” can be found here: https://ico.org.uk/about-the-ico/what-we-do/information-commissioners-opinions-on-adequacy/the-uk-government-s-assessment-of-adequacy-for-the-uk-extension-to-the-eu-us-data-privacy-framework/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|