Overview
The UK government has published the Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028) (the UK-US Data Bridge Regulations) which adopted an adequacy decision for the US (the UK-US Data Bridge) and will come into force on 12 October 2023.
The UK-US Data Bridge recognizes the US as offering an adequate level of data protection where the transfer is to a US organization that (i) is listed on the EU-US Data Privacy Framework (DPF), and (ii) participates in the UK Extension to the DPF.
On July 10, 2023, the European Commission adopted its adequacy decision for the DPF. The decision concluded that the DPF ensures an adequate level of protection for transferring personal data from the European Union to the United States. The UK-US Data Bridge is an extension of the DPF which was discussed in our prior updates.
In Depth
What are therefore the advantages of using the DPF and the UK-US Data Bridge?
Leveraging the DPF, recognized as an adequacy decision, provides organizations with a streamlined approach to data transfers. Within this context, companies that participate in the DPF are automatically deemed safe for data reception from the UK.
One of the prime benefits of the UK-US Data Bridge, built upon the DPF framework, is that participating organizations are exempted from the need to conduct transfer impact assessments (TIAs) or institute supplementary measures. In contrast, if companies rely on Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs), they are still mandated to implement supplementary measures. The UK-US Data Bridge facilitates a seamless transfer of data back and forth between the two territories. Furthermore, as the data protection landscape evolves, customers increasingly expect companies to actively participate in such data transfer framework, enhancing trust and compliance.
Are there any challenges?
However, not all is without complications. Both the Information Commissioner’s Office (ICO) and EU privacy activists have commented on the UK-US Data Bridge and the DPF. The ICO noted in its opinion on the UK-US Data Bridge Regulations that there are areas that could pose risks to UK data subjects if the protections identified are not properly applied. The opinion identifies several potential issues with the UK-US Data Bridge, including the following, serve as a basis to question the UK-US Data Bridge:
- The UK-US Data Bridge does not contain substantially similar rights to the UK GDPR’s (i) right to be forgotten, (ii) right to withdraw consent, and (iii) right to obtain a review of an automated decision by a human. As a result, UK data subjects might not have the same level of control over their data as they do under UK GDPR.
- The definition of ‘sensitive information’ under the UK-US Data Bridge does not specify all the ‘special categories of personal data’ of the UK GDPR. Instead, the framework has a broad ‘umbrella’ concept providing that sensitive information can be any data regarded as sensitive by the transferring entity. UK businesses will have to clearly label certain types of data as ‘sensitive’ when transferring to a US organisation certified under the UK Extension to ensure adequate protection.
- For data on criminal offenses, the ICO highlights potential vulnerabilities, even when tagged as sensitive. Since the UK places restrictions on the use of ‘spent’ convictions, there are concerns about a lack of comparable protections in the US for transferred data.
Conclusion
While the DPF and UK Data Bridge present advantages for companies aiming for seamless data transfers from the EU or the UK to the US, they are not without challenges.
The DPF and the UK-US Data Bridge extension are not the only option organisations transferring and processing personal data outside of the UK have. Controllers or processors may still choose to rely on other appropriate safeguards such as standard contractual clauses or binding corporate rules.
We are witnessing a growing trend among organisations to put in place diverse safeguard measures, preparing for the eventuality that one of these transfer mechanisms might be invalidated. Companies interested in discussing the individual needs of their organisation should contact the authors or their regular McDermott lawyer.