The UK-US data bridge (live from 12 October 2023) offers a new streamlined option for transfers of personal data from the UK to the US in the case of participating companies. This follows an assessment by the UK Secretary of State that the scheme offers an adequate level of data protection to enable transfers of personal data to active participants in the scheme.
What does the UK-US data bridge offer?
The UK-US data bridge offers another option for companies and other organisations subject to the UK General Data Protection Regulation that wish to transfer personal data to US companies participating in the UK Extension to the EU-US Data Privacy Framework (“DPF”). In such cases (in the absence of being able to rely on an appropriate derogation), there will no longer be a need to ensure that appropriate safeguards (such as standard contractual clauses or binding corporate rules), together with a satisfactory transfer risk assessment, are in place prior to undertaking relevant transfers.
What is required in practice?
The UK Extension to the DPF follows the recent EU-US agreement on the DPF scheme. A US-based organisation may voluntarily decide to join the DPF scheme. Once it has done so, this commitment becomes enforceable under US law by the applicable US enforcement body (in most cases, the Federal Trade Commission). Guidance produced by the International Trade Administration of the US Department of Commerce also indicates that a US company must first sign up to the EU-US DPF scheme before it can also sign up to participate in the UK Extension.
For businesses in the US that choose to participate, the DPF requires self-certification of compliance with the ‘DPF Principles’ (see below) and a public declaration of a company’s commitment to compliance with the scheme. The DPF also provides greater scope for data subjects to seek redress than was the case with previous transfer schemes.
The DPF Principles closely mirror many core elements of EU and UK data protection law, including in respect of notice or transparency (including a requirement for participating US data importers to provide privacy notices reflective of the DPF requirements), access, security, data integrity (including data minimisation and accuracy) and purpose limitation. ‘Supplemental Principles’ also apply in certain circumstances e.g. for processing of sensitive data and human resources data.
As the requirements for participating US businesses are relatively onerous, involving adherence to a wide range of legally enforceable requirements and a requirement to re-certify adherence annually, it remains to be seen how popular the scheme will ultimately be. While participation in the DPF by the US data importer reduces the compliance burden on the EU or UK data exporter and offers a more streamlined transfer process for all parties, it may increase the compliance burden on the US data importer and so be undesirable in certain cases. It is expected that while US businesses routinely in receipt of EU/UK personal data for the purposes of their business model may choose to participate, those for whom receipt of such data is a less regular occurrence may favour the continued use of appropriate safeguards such as standard contractual clauses where applicable.
Why is there a need for the UK-US data bridge?
The DPF and its UK Extension are designed to offer a lawful means of transfer from the EU and UK to the US following the invalidation of the previous EU-US Privacy Shield (which also applied in respect of the UK) in 2020 by the Court of Justice of the European Union (“CJEU”). Following this ruling, EU and UK businesses have been required to put in place appropriate safeguards and to undertake transfer impact assessments or risk assessments prior to undertaking transfers of personal data to the US (unless a derogation applies) to ensure that there is an essentially equivalent level of data protection in place.
How does the UK Extension work?
Following the European Commission’s adoption of a partial adequacy decision in respect of the scheme on 10 July 2023, the UK Data Protection (Adequacy) (United States of America) Regulations 2023 (which entered into force on 12 October 2023) indicate that the UK Secretary of State considers that the US ensures an adequate level of data protection for transfers to legal persons participating in the UK Extension to the DPF who will be subject to the DPF Principles. (Other transfers to the US are not covered and will continue to require use of appropriate safeguards.)
Risks and ongoing legal uncertainty
While the DPF makes a number of changes from the previous Privacy Shield to seek to address the CJEU’s interpretation of the requirements of EU data protection law including increasing the requirements relating to data subject rights and enforceability, it has proved controversial. A French parliamentarian, Philippe LaTombe, has already filed a dual challenge with the CJEU which is understood to seek annulment of the EU-US adequacy decision relating to the DPF and to challenge its substantive content. In addition, there is speculation that Max Schrems and/or NOYB may also decide to bring a challenge. It is not yet known if there will be any similar challenges to the corresponding UK adequacy regulations.
What happens if I wish to transfer personal data from the UK to a US party not subject to the UK Extension to the DPF?
Transfers of personal data falling outside the scope of the UK’s partial adequacy decision must comply with the requirement to have a lawful transfer ‘mechanism’ in place. From a UK perspective, this typically means that standard contractual clauses (either the UK International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses (accompanied by those clauses)) must be in place. In addition, a transfer risk assessment must be conducted prior to such transfers and transfers undertaken only if the outcome of the assessment is satisfactory.
Please contact CMS if you require any further information.