Building data bridges: UK extends EU-US Data Privacy Framework
On 21 September, the Department of Science, Innovation and Technology published the Data Protection (Adequacy) (United States of America) Regulations 2023, which are set to come into effect on 12 October 2023. From this date, UK organisations will be able to transfer personal data to US entities certified under the UK Extension to the EU-US Data Privacy Framework (also known as the "UK-US Data Bridge") without the need to implement further transfer safeguards.
In anticipation of the UK-US Data Bridge, on 18 September, the US Attorney General designated the UK as a "qualifying state" under Executive Order 14086 ("Executive Order"). As a result, UK individuals can benefit from the oversight and redress mechanisms for US signals intelligence activities that have been introduced by the Executive Order.
What gap does the transatlantic deal intend to bridge?
The exchange of personal data across the pond has seen choppy waters, with significant developments including the invalidation of the Safe Harbor mechanism in 2015 and the invalidation of the EU-US Privacy Shield following the Schrems II decision in 2020. The UK-US Data Bridge is intended to override previous challenges and ensure that personal data is transferred safely, securely, and to a standard that maintains a level of protection for individuals that is equivalent to that provided under the UK GDPR.
The UK-US Data Bridge is expected to unlock economic opportunities, foster data sharing leading to improved products and services for consumers, and enable transfers of crucial information, such as information related to cross-border science, innovation and research.
How will data flow under the UK-US Data Bridge?
Organisations that wish to transfer UK personal data to a US recipient in reliance on the UK-US Data Bridge will need to make the following checks before transferring the data:
- The recipient is certified under the UK-US Data Bridge and listed on the Data Privacy Framework Program's List.
- If the transfer relates to HR data, this has been highlighted on the recipient's certification. Statistical reporting based on aggregating employment data which contains anonymised data or no personal data does not raise concerns.
- That it has reviewed the recipient's privacy disclosures to check they conform to the requirements of the UK-US Data Bridge.
- Whether the data is excluded – sensitive data can be transferred under the UK-US Data Bridge, as can criminal offence data.
a) For criminal offence data (whether shared as part of, or external to, a HR context), UK organisations must inform the US recipient that such data requires additional protections. For US recipients of criminal data shared within a HR data relationship, the US recipient must indicate that they are seeking to receive such data under the EU-US Data Privacy Framework.
b) For sensitive data not contained in Choice principle 2(c) of the EU-US Data Privacy Framework, such data has to be identified as sensitive to the US recipient in order to rely on UK-US Data Bridge arrangements. This includes genetic data, biometric data for the purpose of uniquely identifying a natural person and sexual orientation data.
Journalistic data, as defined by Supplemental Principle 2(b) of the EU-US Data Privacy Framework, cannot be transferred under the UK-US Data Bridge as it is not subject to the EU-US Data Privacy Framework.
It is notable that, at present, only organisations subject to the jurisdiction of the United States Federal Trade Commission and the United States Department of Transportation can benefit from the transatlantic deal – so US banking, insurance, and telecommunications companies are currently excluded.
A bridge too far?
In the Information Commissioner's Office's ("ICO") opinion on the UK-US Data Bridge, the Information Commissioner found that although it is "reasonable […] to conclude that the UK Extension provides an adequate level of data protection […] there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied [and monitored in practice]". The four areas are:
- Identifying sensitive data: Sensitive data has not been defined in the same way as Article 9 of the UK GDPR, the definition omits certain types of sensitive data as discussed above. The definition includes a sweeper provision requiring organisations under the EU-US Data Privacy Framework to treat "[...] any other information received from a third party that is identified and previously treated by that party as sensitive by the organisation sharing the information". As discussed above, data outside of the definition of sensitive data must be identified, however there is no current requirement for UK organisations to identify sensitive data as such. The ICO has suggested that guidance should be published to assist UK organisations with identifying sensitive data.
- Risks related criminal offence data: There appears to be no US equivalent to the protections in the UK’s Rehabilitation of Offenders Act 1974 – an Act which limits the use of data relating to criminal convictions, including the ability to request the deletion of this data.
- Concerns around protection from automated decision making: The UK-US Data Bridge does not contain a similar right to the UK GDPR with respect to protecting individuals subject to decisions made via automated processing, most notably the right to obtain a review of an automated decision by a human.
- Forgetting the Right to be Forgotten: The UK-US Data Bridge does not contain a similar right to the UK GDPR's right to be forgotten nor an unconditional right to withdraw consent.
As mentioned in the ICO's opinion, the UK Government must monitor the level of data protection under the UK-US Data Bridge every four years.
Should organisations water down their compliance with other adequacy safeguards?
Although the purpose of the UK-US Bridge eliminates the requirement to implement further transfer safeguards, UK organisations should not totally dispose of them. As detailed above, there may be circumstances in which the UK-US Data Bridge cannot be relied upon, for example, for transfers of journalistic data.
Furthermore, UK organisations should bear in mind that, historically, legal frameworks for the transfer of personal data to the US have been hotly contested. It may therefore be prudent for organisations to avoid relying exclusively on the UK-US Data Bridge, even when sending to a US organisation that is certified.
This may also help to avoid future operational difficulties, on the basis that there are already indications that challenges may arise fairly quickly. For example, recently, Phillippe Latombe, a French Member of Parliament, challenged the EU-US Data Privacy Framework by claiming that it "[…] violates the Union's Charter of Fundamental Rights, due to insufficient guarantees of respect for private and family life […] and the General Data Protection Regulation". While any successful EU challenge would not automatically invalidate the UK's post-Brexit transfer safeguards, it would certainly destabilise the UK position. Despite the UK's status of a qualifying state under the Executive Order, there could also be a risk of UK data campaigners calling into question the validity of the UK-US Data Bridge, such as the possibility of a home-grown Schrems style case…