With the passage of the Data Protection (Adequacy) (United States of America) Regulations 2023 (Adequacy Regulation), the UK government has made good on its intention to establish a data bridge with the US. This follows the commitment-in-principle reached by President Joe Biden and UK Prime Minister Rishi Sunak on June 8 2023, when the EU-US Data Privacy Framework (“DPF“) was still being evaluated by the European Commission under the EU GDPR. With the DPF’s completion and the US Attorney General’s designation of the UK as a ‘qualifying state’, the Adequacy Regulation will function as an extension of the DPF to the UK, allowing the transfer of personal data to certified persons in the US without the need to implement other transfer mechanisms under the UK GDPR.
In more detail:
A new transfer and redress mechanism
The UK-US data bridge operates as an extension to the DPF (the “UK Extension“) allowing for the unconstrained movement of personal data between the UK and certified US entities. UK businesses and organisations will be able to make use of this data bridge to safely and securely transfer personal data to certified organisations in the US without the need for further safeguards (i.e. the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses).
One critical aspect of the success of the DPF is that it addresses concerns regarding the lack of appropriate safeguards and redress mechanisms as raised in the 2020 Schrems II decision. This led the US to enact Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”) which creates an independent and binding redress mechanism that can be accessed by individuals whose personal data is transferred from qualifying states. Therefore, the establishment of the UK-US data bridge means UK individuals can now seek redress if they believe their personal data was collected or processed through in a manner that violates applicable US law.
Only certified US entities can receive transfers under the Data Bridge
The DPF works as a bespoke certification scheme for US organisations, enforced by the US Federal Trade Commission and Department of Transportation, and administered by the Department of Commerce. In order to opt in to certification, a US organisation must show US regulators that it complies with and can certify the DPF’s principles and requirements, which govern the use, collection and disclosure of personal data. Once a US organisation is certified, their certification will be placed on a publicly available DPF List on the DPF website. These organisations can then opt-in to receive UK personal data through the UK-US data bridge.
If your organisation cannot rely on the UK Extension to transfer personal data to the US, you must implement one of the pre-existing appropriate safeguards or rely on one of the available derogations under the UK GDPR for international data transfers.
Special rules for different data categories:
- Special category data: The definition of sensitive data under the DPF differs from the definition of special category data under the UK GDPR as the former does not include genetic data, biometric data (for the purpose of uniquely identifying a natural person) and sexual orientation data. While this difference does not prevent the transfer of sensitive/special category data under the UK-US data bridge, any such data must be identified as special category/sensitive by UK organisations when it is shared, and DPF-certified US organisations must continue to treat such data as sensitive.
- Criminal offence data shared within and outside of a HR relationship: Where criminal offence data is proposed to be shared under the UK-US data bridge as part of a HR data relationship (personal information about a past or present employee in the context of the employment relationship), US recipient organisations must specify that they are seeking to receive such data under the DPF. Where criminal offence data is not related to an HR relationship, the US recipient organisation should be informed that the data is sensitive and therefore requires additional protections, similar to those implemented for sensitive/special category data.
- Journalistic data: Journalistic data cannot be transferred under the UK-US data bridge. Journalistic data is defined as any personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives.
The ICO’s opinion:
The ICO identified four areas of likely risks to UK data subjects if protections under the DPF are not properly applied. We have addressed two of them above (special category data and criminal offence data), with the other two bordering on automated processing, and data subject rights to be forgotten and to withdraw consent.
Essentially, the ICO’s concerns border around the lack of a substantially similar right under the DPF akin to that provided under the UK GDPR. Nonetheless, the ICO still found it ‘reasonable’ for the UK Government to conclude that the US has an adequate level of protection. Notably, the UK DPF extension must be evaluated every four years, it is expected that the ICO will continue to monitor the program to assess compliance and ensure the promised protections are met.
From 12 October 2023, UK businesses will have a new valid transfer mechanism to share personal data to the US, and will no longer need to use the UK Addendum and the International Data Transfer Agreement (IDTA). However, before transferring personal data, UK businesses will have to confirm that the US recipient is certified with the DPF and has signed up to the UK Extension to the EU-US Data Privacy Framework program on the DPF website. It is also worth considering further simple diligence checks for example checking that the DPF certification actually covers the nature of data transferred between the parties.
The UK-US data bridge is envisioned to provide an expanded level of legal certainty around international data transfers to and from the US, in furtherance of the Atlantic Declaration. We will continue tracking this development closely and will provide further details as this progresses.