With the passage of the Data Protection (Adequacy) (United States of America) Regulations 2023 (Adequacy Regulation), the UK government has made good on its intention to establish a data bridge with the US. This follows the commitment-in-principle reached by President Joe Biden and UK Prime Minister Rishi Sunak on June 8, 2023, when the EU-US Data Privacy Framework (DPF) was still being evaluated by the European Commission under the EU GDPR. With the DPF’s completion and the US Attorney General’s designation of the UK as a ‘qualifying state’, the Adequacy Regulation will function as an extension of the EU-US DPF, but for the UK, allowing the transfer of personal data to certified persons in the US without the requirement of any other transfer mechanism under the UK GDPR.
Key takeaways in more detail:
A new transfer and redress mechanism
The UK-US data bridge operates as the UK Extension to the EU-US DPF allowing for the unconstrained movement of personal data between the UK and certified US entities. UK businesses and organisations will be able to make use of this data bridge to safely and securely transfer personal data to certified organisations in the US without the need for further safeguards (i.e. the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses)
One critical aspect of the success of the DPF is that it addresses the issues of lacking appropriate safeguards and redress mechanisms raised from the 2020 Schrems II decision. To achieve this, the US enacted Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”) which creates an independent and binding redress mechanism that can be accessed by individuals whose personal data is transferred from qualifying states (for more detail on this, see our US Team publication here). In keeping with the data bridge, the US designated the UK as a ‘qualifying state’ under this Order on 8 September 2023, meaning that UK individuals can also seek redress under the combined provisions of the Adequacy Regulations and Executive Order if they believe their personal data was collected or processed for Signals Intelligence activities in a manner that violates the Order under any applicable US Law.
Only certified US entities can receive transfers under the Data Bridge:
The DPF works as a bespoke certification scheme for US organisations, enforced by the US Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce. For a US organisation to be certified, it has to show the US regulators that it complies with principles and requirements under the DPF. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. Once a US organisation has been certified, it will be publicly placed onto the DPF List on the DPF website. These organisations can then opt-in to receive UK personal data through the UK-US data bridge.
It is important to point out, however, that only US firms subject to the authority of the US Federal Trade Commission or the US Department of Transportation are currently eligible to participate in the DPF programme. This means that banks, insurance institutions, telecommunications firms and others that are not under the jurisdiction of either the FTC or the DoT cannot rely on the data bridge (at least for now) but will have to fall back to one of the pre-existing appropriate safeguards or rely on one of the available derogations under the UK GDPR for international data transfers.
Special rules for different data categories:
- Special category data: It was noted that the definition of sensitive data under the DPF varies from the definition of special category data under the UK GDPR as the former does not include genetic data, biometric data (for the purpose of uniquely identifying a natural person) and sexual orientation data. This difference does not stop the transfer of personal data under the Data Bridge, although UK entities must take note to specifically identify these uncovered categoriesas sensitive to US organisations when transferring under the UK-US data bridge to ensure it receives appropriate protections under the DPF.
- Criminal offence data shared within and outside of a HR relationship: Where criminal offence data is proposed to be shared under the UK-US data bridge as part of a HR data relationship (personal information about a past or present employee in the context of the employment relationship), US recipient organisations must specify that they are seeking to receive such data under the DPF. Where the criminal data is not related to an HR relationship, the US recipient organisation should be specifically informed that such data is sensitive data requiring additional protections, as this would align the data with the additional protections for special category outlined above.
- Journalistic data cannot be transferred under the UK-US data bridge. Journalistic data is any personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives.
The ICO’s opinion:
The ICO identified four areas of likely risks to UK data subjects if protections under the DPF are not properly applied. We have addressed two of them above (special category data and criminal offence data), with the other two bordering on automated processing, and data subject rights to be forgotten and to withdraw consent.
Essentially, the ICO’s concerns border around the lack of a substantially similar right under the DPF akin to that provided under the UK GDPR. Nonetheless, the ICO still found it ‘reasonable’ for the UK Government to conclude that the US has an adequate level of protection. Notably, the UK DPF extension must be evaluated every four years, it is expected that the ICO will continue to monitor the program to assess compliance and ensure the promised protections are met.
From 12 October 2023, UK businesses will have a new valid transfer mechanism to share personal data to the US, and will no longer need to use the UK Addendum and the International Data Transfer Agreement (IDTA). However, before transferring personal data, UK businesses will have to confirm that the US recipient is certified with the DPF and has signed up to the UK Extension to the EU-US Data Privacy Framework program on the DPF website. It is also worth considering further simple diligence checks for example checking that the DPF certification actually covers the nature of data transferred between the parties.
This is a welcome development for UK businesses as this data bridge is envisioned to provide an expanded level of legal certainty around international data transfers to and from the US, in furtherance of the Atlantic Declaration. Given that this is still in its early phases, we will continue to monitor these developments closely and will provide further details as they progress.