The UK government has announced that UK organisations will be able to use the Extension to the EU-US Data Privacy Framework (‘UK-US data bridge’) from 12 October 2023. This legal framework which facilitates the free and safe flow of personal data from the UK to the US could benefit businesses in the UK.
How are transfers of personal data from the UK to the US regulated?
Under the UK’s data protection laws, transfers of personal data outside the UK are prohibited, in principle, unless one of the following applies:
- Transfers to a country, territory, sector, or organisation that is considered by the Secretary of State as ensuring an adequate level of data protection compared to the UK (i.e. transfers based on the ‘adequacy regulation (decision)’
- Transfers subject to ‘appropriate safeguards’
- Transfers in ‘specific situations’ as set out in Article 49 of the UK GDPR.
The European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (‘DPF’) in July 2023. As this decision was made after Brexit, it does not apply to data transfers from the UK to the US. UK organisations therefore cannot transfer personal data to the US unless such data is subject to appropriate safeguards, or otherwise only in specific situations.
What is the UK-US data bridge?
The UK-US data bridge is an adequacy regulation that stipulates that US organisations participating in the DPF have an adequate level of data protection compared with the UK. This allows UK organisations to transfer personal data to participating US organisations without having to rely on appropriate safeguards or specific situations.
Why is the UK-US data bridge beneficial to UK organisations?
As regards organisations that transfer personal data, the requirements which apply in order for them to be considered to provide appropriate safeguards are generally considered to be complex and difficult to address. Also, data transfers in 'specific situations' are of last resort where there are no other bases to rely on, and in practice, these types of transfers are not user-friendly for the organisation that processes the data. As such, the UK-US data bridge unlocks the potential to reduce compliance costs for UK businesses.
Which US organisations are covered by the UK-US data bridge?
The recipient of personal data must be a US organisation that has obtained extended certification for the UK-US data bridge under the DPF. This extension can be conducted through the DPF account held by certified US organisations. As the UK-US data bridge is based on participation in the DPF, US organisations that have not signed up to the DPF must first do so before they can use this method of transferring personal data. It should also be noted that US businesses in some industries, such as banking, insurance and telecommunications, are not covered by the DPF. The participants, including the opt-in status of the UK-US bridge, can be found here.
What is the ICO’s stance on the UK-US data bridge?
The Information Commissioner’s Office (ICO) states that the decision to adopt the UK-US data bridge is reasonable, however it does not appear to support it unconditionally. Where the protections identified are not properly applied, the ICO is concerned that there may be some specific areas that could pose risks to UK data subjects. For example, there are some indications that the protections afforded by the right to obtain a review of an automated decision, the right to be forgotten and the unconditional right to withdraw consent may be missing from the UK-US data bridge.
Will the framework for data transfers to the US fail again?
In fact, the EU has experienced similar data transfer schemes with the US which were invalidated by the Court of Justice of the European Union in 2015 (Schrems I) and 2020 (Schrems II). The activist group involved in those cases has already announced their intention to challenge the DPF as well. The future of their challenge is unclear at this stage, however if successful, complicated issues may arise regarding the validity of the UK-US data bridge due to its foundation on the DPF.
How 3CS can help
Our team of corporate and commercial lawyers and consultants have both domestic and international expertise and offer a full range of corporate and commercial legal services. For further information on the UK-US data bridge or help with any commercial legal matter, please get in touch with your usual 3CS contact.