What to expect when the UK-US Data Bridge comes into force this week
Britain's privacy watchdog still not happy that agreement 'appropriately' protects sensitive data
Opinion The UK Extension to the EU-US Data Privacy Framework (aka Data Bridge) will enter into force on October 12, allowing certifying entities to easily transfer personal data from the UK to the US.
Transferring personal data across the Atlantic would otherwise be prohibited under the UK General Data Protection Regulation (UK GDPR) without transfer mechanisms (such as standard contractual clauses, aka SCCs, or binding corporate rules, aka BCRs.)
The European Commission adopted an adequacy decision in favour of the EU-US Data Privacy Framework (DPF) in July. The DPF is a replacement for the EU-US Privacy Shield, which was declared invalid by the Court of Justice of the European Union (CJEU) in 2020.
As the UK is no longer a member of the European Union, the DPF does not automatically enable the transfer of personal data from the UK to the US. Transfers of personal data from the UK will require a Data Bridge.
The Deartment for Science, Innovation, and Technology (DSIT) published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework (the Regulations) on September 21. The Regulations provide that for the purposes of the UK GDPR and the Data Protection Act 2018, the Secretary of State considers that the US provides an adequate level of protection for personal data for certain types of transfers.
In order for UK data exporters to be able to rely on the Data Bridge, the US importer must have self-certified to the DPF and the Data Bridge. Transferred personal data must be handled in accordance with the DPF principles upon receipt by the US data importer.
However, British data watchdog the Information Commissioner's Office (ICO) has expressed reservations concerning the Data Bridge.
Gaps in the bridge?
The ICO argues that entities may not appropriately protect sensitive data. The Data Bridge definition of "sensitive data" does not match that of the UK GDPR, as the definition that appears in the Data Bridge does not specify all of the special categories of personal data identified in Article 9 UK GDPR.
In addition, the Data Bridge definition includes a catch-all provision specifying "... any other information received from a third party that is identified and treated by that party as sensitive." This discrepancy means that UK exporters will need to identify biometric, genetic, sexual orientation, and criminal offence data as "sensitive data" when sending information to the US. However, nothing in the UK GDPR currently requires UK organizations to identify information as sensitive. This means that protections for special categories of personal data may not be applied in practice.
The ICO has also expressed concerns over the fact that criminal offence data may be less protected in the United States. The US does not provide protections equivalent to those set out in the UK's Rehabilitation of Offenders Act 1974, which places limits on the use of data relating to criminal convictions when those convictions have been "spent" following the relevant rehabilitation period, including the ability to request that such data be deleted. The ICO observes that it is not clear how these protections would apply to information that has been transferred to the US.
There's also a questionmark over whether individuals have fewer privacy rights under the Data Bridge. It does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would result in legal or similarly significant effects on the data subject. In particular, the Data Bridge does not include a right to have an automated decision reviewed by a human.
In addition, the Data Bridge does not include a substantially similar "right to be forgotten" or to withdraw consent. While the Data Bridge gives individuals some control over their personal data, it is not as extensive as the rights they enjoy in the UK.
UK companies that are unable to rely on the Data Bridge for transfers of personal data to the US may still rely on other safeguards, namely SCCs or BCRs. However, as with the DPF, there are specific requirements for transfers from the UK.
- UK-US data deal could hinge on fate of legal challenges to EU arrangement
- EU gives its blessing to reopen data pipelines to the US
- That Meta GDPR fine is €1.2B. Plus biz must stop sending EU data to US
- EU-US Privacy Framework could make life easier for a data biz, if it survives
UK exporters that rely on the SCCs to transfer personal data to the US or other third countries must be aware that the EU SCCs can no longer be used for new agreements for data transfers from the UK.
The EU SCCs must either be appended with the UK Addendum to the EU SCCs or UK data exporters should use the UK International Data Transfer Agreement (IDTA) instead. UK data exporters that have already concluded contracts based on the EU SCCs on or before September 21, 2022 may continue to rely on the EU SCCs until March 21, 2024.
After this time, UK exporters must adopt either the IDTA or the EU SCCs with the UK Addendum. UK exporters must also carry out a Transfer Risk Assessment (TRA) before they transfer personal data using the SCCs, using either the ICO TRA tool or guidance published by the European Data Protection Board (EDPB).
Given the fanfare that first emerged when the UK government announced the concept of the Data Bridge in June, the ICO's critique of the initiative is not insignificant. Though the Data Bridge will come into effect on October 12, it will be interesting to see how it operates in practice, especially given the ICO's concerns. ®