UK-US Data bridge
Wednesday, 01 November 2023Following on from the European Commission’s limited adequacy decision for, the EU-US Data Privacy Framework (“DPF”) adopted on 10 July last, the UK’s Data Protection (Adequacy) (United States of America) Regulations 2023 (the “Regulations”) came into force on 12 October last.
The Regulations specify that the US has an adequate level of protection for personal data, with the Regulations having the effect of establishing a data bridge between the UK and the US which will allow for the transfer of personal data to the US without additional safeguards being in place. The Regulations are known as the “UK-US Data bridge”. The UK-US Data bridge allows for the legitimate transfer of personal data from the UK to the US, on the basis of the DPF.
The UK-US Data bridge acts as an extension of the DPF, itself introduced by the European Commission on 10 July this year (click here to see the ByrneWallace LLP’s article on the DPF). As part of the DPF, the European Commission concluded that the US now has an adequate level of protection for personal data transferred from a controller or a processor in the EU to certified commercial organisations in the US. To avail of the simplified transfer mechanisms under the DPF, US importers of EU personal data must self-certify adherence to the DPF Principles to the US Department of Commerce. The UK-US Data bridge is an extension of the DPF, in that US entities that have self-certified under the DPF may extend their certification to cover UK personal data. A entity that has self-certified under the UK-US Data bridge can then transfer personal data from the UK to the US without the need for UK GDPR International Data Transfer Agreements or Addenda (the UK equivalent to Standard Contractual Clauses (“SCCs”)) or other appropriate safeguards specified in Article 46 of the UK GDPR. A Transfer Risk Assessment, albeit a less onerous one than prior to the UK-US Data bridge is still required. Significantly the UK-US Data bridge cannot be entered into separately from the DPF and so the UK-US Data bridge is not a standalone means of transferring UK data to the US. This limits somewhat the utility of UK-US Data bridge as a transfer mechanism.
The UK Data Protection Regulator, the Information Commissioner’s Office (“ICO”) has highlighted that certain categories of personal data that are treated as particularly sensitive under the UK GDPR (i.e. ”special categories of personal data” under Article 9 of the UK GDPR) are not treated as “sensitive information” under the DPF, unless this data is expressly identified as sensitive by the transferring organisation. Criminal offence data, genetic data, biometric data for the purpose of identifying a natural person and data concerning sexual orientation must be flagged as “sensitive” by a UK data exporter in this context. UK entities transferring to a US entity under the UK-US Data bridge should be alive to the extraneous requirement to classify expressly that this data is sensitive.
Transfers of personal data from the UK to the US may continue outside the auspices of the UK-US Data bridge: in such case the requirements of Article 46 of the UK GDPR must be complied it i.e. an appropriate safeguard such as binding corporate rules, an International Data Transfer Agreement or an Addendum to the SCCs must be in place, and a Transfer Risk Assessment must be undertaken. Businesses seeking to take advantage of the new UK-US data bridge will need to ensure that they meet all requirements before relying on it as a valid international transfer method. Some businesses transferring personal data from the UK may still seek a belt-and-braces approach, relying on both the UK-US data bridge, as well an alternative transfer mechanism (such as the International Data Transfer Agreement or Addendum (as noted above, these are the UK equivalent of SCCs)), particularly given the uncertainty around whether the EU-U.S. Data Privacy Framework (and the UK extension to it) will withstand challenge.
Both UK data exporters and US data importers that use the UK-US Data bridge will need to review and where necessary update their privacy policies, records of processing activates, contracts and other documents to ensure they are compliant with applicable data protection and data privacy law.
For further information or advice on how the UK-US Data bridge impacts upon your organisation, please contact Seán O’Donnell or Zelda Deasy or any other member of the ByrneWallace LLP Data Protection Team.