There are various rules regarding personal data under the UK’s General Data Protection Regulations (‘GDPR’), which all UK businesses must comply with.
The transfer of personal data out of UK to an overseas country is referred to by the GDPR as ‘restricted transfers’. To ensure such transfers are lawful, there are various safeguards which organisations need to have in place.
This is a rapidly evolving area of law, with a new ‘Data Bridge’ between the UK and US coming into effect from October 2023. The Data Bridge is a welcome development for many UK organisations, as it has the potential to open up opportunities for transatlantic business while reducing the administrative ‘red tape’ of the existing regime.
When can a restricted transfer be made?
Under the GDPR, restricted transfers cannot be made except where:
- An ‘adequacy decision’ applies, meaning the overseas country that is receiving the data has demonstrated it affords the same level of protection over personal data as the UK, and so there is no need to take any additional safeguards or measures;
- There are ‘appropriate safeguards’ in place, such as the UK International Data Transfer Agreement, or Binding Corporate Rules; or
- One of the limited derogations from the GDPR apply.
What is the UK/US Data Bridge?
Earlier this year the UK Government confirmed that from 12 October 2023, UK businesses can begin transferring personal data to US organisations certified to the UK Extension to the EU-US Data Privacy Framework.
The EU-US Data Privacy Framework (commonly known as the ‘DPF’), is an adequacy decision that operates as a certification scheme. US organisations can opt into receiving personal data from EU organisations, subject to a set of comprehensive principles and requirements which must be adhered to. These principles are embodied as commitments to data protection and govern how an organisation uses, collects, and discloses personal data.
The new Data Bridge allows for US organisations who have been certified to the DPF to opt in to receiving data from the UK. Such organisations are placed on a ‘DPF List’, which is available here. Currently, only US organisations that are subject to the US’s Federal Trade Commission or Department of Transport are eligible to be certified.
What should my business do now?
UK businesses should bear in mind that the Data Bridge does not allow the free transfer of data to any organisation in the US. Rather, the US organisation receiving the data must be certified to the DPF’s UK extension and appear on the DPF List. For this reason, the data bridge has been referred to as a ‘partial’ bridge, as it only applies to a limited number of US organisations.
UK businesses should therefore be confirming that the US organisation that they wish to receive personal data are certified as a participant to the DPF by searching the DPF List. Any organisations registered under the EU-US DPF will be required to amend their certification to include the UK before any data is transferred.
Bear in mind that the obligation of transparency towards data subjects continues. When seeking to rely on the Data Bridge, organisations should consider updating their records of processing activities and privacy notices to include the Data Bridge as a relevant transfer mechanism.
In the event that a US recipient organisation is not certified under the DPF for UK data transfer purposes, not all is lost. UK businesses can still make such transfers by reverting to the pre-existing safeguards and risk assessments noted above.
Despite the US/UK Data Bridge being a welcome addition to the adequacy decision framework already in place, concerns have been expressed about its implementation.
Particular concerns surround the sharing of special category data. Such data always requires special consideration, and there have been concerns raised that the US data protection regime does not afford the same level of protection to this type of data as the UK’s regime provides. As such, while special category data can be shared with US organisations certified under the DPF, the Information Commissioner’s Office has recommended that it be identified as such by the UK organisation when it is being shared, and require that there are additional protections in place when transferring to US-based recipients.
Furthermore, the Data Bridge does not reflect Article 22 of the GDPR, which aims to protect individuals from automated decision making. Article 22 prevents organisations from using automatic processing to make decisions producing a legal (or ‘significant’) effect on an individual, except in very limited circumstances. Therefore, such decisions require an element of human intervention to be lawful. This is a hot topic in the dawn of the AI-era, with the UK government largely supporting innovation, and is particularly relevant where data is being transferred for the purposes of operating fully-automated AI programs.
There has been a protracted history of opposition to various transatlantic data transfer mechanisms, and the UK/US data bridge is bound to be no exception (see our article on the ‘Schrems II’ litigation here). UK businesses will need to remain alert to challenges to the DPF. While any challenge will take considerable time to determine, there is a risk that the European Commission could pull the DPF in the future, which will leave the UK/US Data Bridge hanging in the balance. As such, UK businesses may prefer to rely on existing safeguarding measures owing to the current uncertainty.
If you have any questions on the impact of the UK/US data bridge on your business, contact one of our commercial law specialists here or on (0)1635 508080.