Bridge Over Troubled Data Flows: UK-US Data Bridge Approved

The UK has approved the UK-U.S. Data Bridge facilitating flows of personal data to U.S. entities that have self-certified to the EU-U.S. Data Privacy Framework (‘DPF’), provided that those entities extend their DPF certification to cover UK data.

Key Takeaways

• U.S. entities can extend their DPF certifications to cover UK data as well as EU data.
• In such cases, data transfers will be covered by the UK-U.S. Data Bridge and there will be no need to implement the ICO’s International Data Transfer Agreement or other ‘appropriate safeguards’ specified in the UK GDPR.
• Whilst the UK-U.S. Data Bridge offers organisations an additional mechanism for UK-U.S. data transfers, other transfer mechanisms remain valid options and organisations should consider what mechanism works best for their specific transfers, especially given the potential for legal challenges.
• Safeguards implemented by the U.S. as part of the DPF apply even where other mechanisms such as the International Data Transfer Agreement or addendum to the standard contractual clauses are used. Organisations continuing to rely on these mechanisms for UK to U.S. transfers can therefore take account of these safeguards as part of their transfer impact assessments.
• The UK-U.S. Data Bridge enters into force on 12 October 2023.

Refresher: Safe Harbor (Schrems I), Privacy Shield (Schrems II), Data Privacy Framework

The GDPR restricts the transfer of personal data out of the EU (as did the EU Data Protection Directive before it). Data can be transferred out of the EU if the transfer is covered by an ‘adequacy decision’ issued by the European Commission. The European Commission is required to only issue adequacy decisions in relation to destinations that afford personal data a level of protection that is essentially equivalent to the level of protection in the EU.

The laws and practices in the U.S. do not, in general, offer a level of protection for personal data that is essentially equivalent to the EU. Therefore, over the years a number of frameworks have been designed under which U.S. organisations commit to providing an enhanced level of protection for EU personal data in order to benefit from an adequacy decision. The first such framework was Safe Harbor. However, the European Commission’s adequacy decision in relation to Safe Harbor was declared invalid by the Court of Justice of the EU (‘CJEU’) in 2015 in proceedings brought by privacy activist, Max Schrems (Schrems I). Safe Harbor was duly replaced by the EU-U.S. Privacy Shield, which built on the protections available under Safe Harbor. However, this framework suffered the same fate in 2020 when the EU-U.S. Privacy Shield was invalidated by the CJEU (Schrems II) principally because the Privacy Shield did not mitigate bulk surveillance by U.S. authorities or provide an adequate redress mechanism for EU data subjects. Ever since, EU and U.S. officials have been at the table forging a revamped data transfer framework, which in July 2023 resulted in the European Commission making an adequacy decision in relation to the EU-U.S. Data Privacy Framework. The DPF is a new self-certification framework for U.S. organisations, which includes an Executive Order imposing limits on U.S. surveillance of personal data and the creation of a new Data Protection Review Court.

The UK-U.S. Data Bridge

The UK’s equivalent to the GDPR (the ‘UK GDPR’), which replaced the GDPR in the UK as a result of Brexit, restricts transfers of personal data out of the UK in essentially the same way as the GDPR restricts transfers out of the EU. Rather than the European Commission, in the UK the UK government has authority to issue new adequacy decisions (referred to in the UK GDPR as ‘adequacy regulations’ but branded by the UK government as ‘data bridges’).

On 21 September 2023 the formal steps were taken for the UK extension to the DPF to be treated as providing adequate protection to personal data that is subject to the UK GDPR, thereby establishing the ‘UK-U.S. Data Bridge’. This follows the U.S. Attorney General extending the new U.S. Data Protection Review Court to UK individuals on 18 September 2023.

As a result, from 12 October 2023 personal data can be transferred from the UK to DPF participants in the U.S. that have extended their certification to the UK without needing to implement the UK’s International Data Transfer Agreement (the UK equivalent of standard contractual clauses) or other ‘appropriate safeguards’ specified in the UK GDPR.

In addition to administering the DPF, the U.S. Department of Commerce will administer the UK extension to the DPF that creates the UK-U.S. Data Bridge. U.S. organisations that are certified under the DPF can extend their certification to cover data from the UK by selecting the option to add the UK extension through their online DPF account.

Importantly, as an extension to the DPF, the UK-U.S. Data Bridge cannot be entered into separately from the DPF, so U.S. organisations seeking to make use of the UK-U.S. Data Bridge that are not already DPF certified must sign up to the DPF and opt-in to the UK extension. Further information about signing up to the DPF is in our previous OnPoint here.

Organisations in the UK can check whether a proposed data recipient participates in the DPF and UK extension by searching the Data Privacy Framework List at <dataprivacyframework.gov>.

The ICO’s view

The Information Commissioner’s Office (‘ICO’), the UK data regulator, has issued an opinion on the UK-U.S. Data Bridge. The ICO’s endorsement of the UK-U.S. Data Bridge is cautious; the opinion states that ‘while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied.'

The ICO highlights that certain categories of personal data that are treated as particularly sensitive under the UK GDPR are not treated as ‘sensitive information’ under the DPF unless this data is expressly identified as sensitive by the transferring organisation. The categories of data that must be expressly flagged as sensitive are:

• criminal offence data;
• genetic data;
• biometric data for the purpose of uniquely identifying a natural person; and
• data concerning sexual orientation.

UK organisations should be alert to the requirement to highlight to DPF participants in the U.S. that these categories of data should be treated as sensitive information.

The ICO also identifies that the DPF does not contain equivalent protections to:

• the rights under the UK GDPR relating to decisions based solely on automated processing;
• the right to be forgotten under the UK GDPR; or
• the unconditional right to withdraw consent.

Ultimately though, rather than taking a definitive position, the ICO has recommended that the Secretary of State should monitor these areas closely to ensure UK data subjects are afforded equivalent protection in practice and their rights are not undermined.

Will the UK-U.S. Data Bridge succeed where Safe Harbor and Privacy Shield failed?

Max Schrems’ privacy activist organisation, NOYB, has already announced an intention to challenge the European Commission’s approval of the DPF. In addition, a Member of the European Parliament has reportedly already submitted a legal challenge to the DPF in the EU General Court. It remains to be seen whether similar actions might be taken in the UK.

As the UK is no longer part of the EU, the UK-U.S. Data Bridge could survive challenges to the adequacy of the DPF in the EU. There is little substantive difference between the relevant data protection regimes in the EU and the UK, or between the protections under the DPF and the UK-U.S. Data Bridge. That said, the litmus test for whether an adequacy decision is valid is whether the level of protection is ‘essentially equivalent’ to the GDPR - courts in the UK could consider this benchmark differently to their counterparts in Luxembourg.

The invalidity of the Privacy Shield centred on disproportionate surveillance by U.S. authorities and the lack of adequate redress mechanisms for data subjects. The U.S. has sought to address those issues, but the ICO highlights further points that could leave the DPF and UK-U.S. Data Bridge open to challenge. However, the laws of other jurisdictions that benefit from an adequacy decision also have differing categorisations of personal data and data subject rights that do not fully mirror those under the GDPR - a certain degree of variation is permissible.

Comment

Notwithstanding potential challenges to its validity, most organisations should be relatively comfortable using the UK-U.S. Data Bridge. Self-certifying for the UK is straightforward for existing DPF participants and the combination of the DPF and UK-U.S. Data Bridge may be an attractive option for U.S. organisations that are frustrated with the burden of countless standard contractual clauses/UK addenda/International Data Transfer Agreements.

Whilst the GDPR has been held out by some UK politicians as a paradigm of EU overregulation that Brexit enables the UK to escape, the UK’s approach to international data transfers, both in relation to the UK-U.S. Data Bridge and standard contractual clauses, shows a pragmatic approach of alignment with the EU. This enables international businesses to take a largely consistent approach to compliance across the UK and EU.