As of 12th October 2023, transferring personal data from the United Kingdom to the United States became simpler, due to the introduction of a new UK-US data bridge under the UK Extension to the EU-US Data Privacy Framework (DPF). The introduction of the UK-US data bridge allows personal data to be transferred to the US without the need for additional transfer safeguards. This comes hot on the heels of the EU-US Data Privacy Framework (adopted in July 2023) and brings the UK’s data transfer regulations back in line with the EU.
Overview of the UK Extension to the DPF
The introduction of the UK-US data bridge creates new options for UK businesses looking to transfer personal data from the UK to the US, simplifying the process by removing the need to undertake extensive risk assessments on transfers provided that the receiving organisation is certified under the UK Extension to the DPF. US organisations wishing to be certified must comply with the data protection principles outlined in the DPF and acknowledge this compliance via a publicly available privacy policy. The US Department of Commerce will process applications for certification and monitor participating organisations. These organisations must also fall under the jurisdiction of the US Federal Trade Commission, who will enforce compliance, or the US Department of Transportation, meaning that organisations falling outside this scope, such as banking and insurance, are currently not eligible for certification. Once certified under the DPF, an organisation may also be certified under the UK extension through making additional commitments of compliance with UK adequacy regulations and indicating this to the US Department of Commerce.
The data bridge came into force on 12th October 2023 as part of the UK’s new adequacy regulations and following the designation of the UK as a ‘qualifying state’ by the US Attorney General. This allows UK organisations to transfer personal data to participating US organisations and be assured that the level of protection provided by the UK GDPR is maintained. This reduces barriers to necessary data sharing, speeding up the process through the removal of transfer risk assessments.
Information Commissioner’s Opinion
While there are obvious advantages to the introduction of this new data bridge, it is important to note that the UK Information Commissioner (ICO) identified a number of potential risks to UK data subjects.
The first of these concerns the differing definitions of ‘sensitive information’, with the UK Extension to the DPF not specifically covering all the categories of sensitive information that are listed in Article 9 of the UK GDPR. The UK Extension instead attempts to cover this with a catch-all statement specifying, ‘any other information received…that is identified and treated by that party as sensitive’. This means that UK organisations will have to ensure that they identify all sensitive data as such, or risk it not being sufficiently protected by the receiving US organisation.
The ICO also notes that differences in law between the UK and US may pose difficulties in maintaining sufficient protection for UK data subjects. For example, the UK’s Rehabilitation of Offenders Act 1974 limits the use of data relating to ‘spent’ convictions, including the ability for data subjects to request that criminal offence data is deleted after a certain period of rehabilitation. The US has no equivalent protections in place, meaning it is unclear how criminal offence data that is transferred will be treated.
In addition, the UK Extension does not contain equivalent rights to the UK GDPR on points such as the unconditional right to withdraw consent or the right to be forgotten, meaning that individuals will have less control over their personal data once it has been transferred. Similarly, the UK Extension does not provide for the right to obtain a review of an automated decision by a human; a provision under UK GDPR that protects individuals from being subject to decisions based on automated data processing.
What does this mean for UK businesses?
Despite the risks identified by the ICO assessment of the UK-US data bridge, its introduction could prove to be beneficial for many UK organisations looking to transfer personal data to the US.
In order to ensure that data is adequately protected UK businesses will need to confirm that the receiving US organisation is certified under the DPF and has signed up to the UK Extension. As mentioned above, organisations involving banking and insurance, for example, may fall outside the scope of the DPF. Furthermore, all personal data that is considered sensitive, such as genetic or biometric data or information concerning sexual orientation, must be expressly identified as sensitive to the US recipient.
The UK Government is clear that the data bridge does not remove the burden of compliance with UK data protection laws, but rather extends these protections to cover the data that has been transferred. This means that UK businesses are still expected to ensure that data is properly protected, including in the decision to transfer the data to other organisations. In other words, UK organisations should take steps to ensure that they are compliant with UK GDPR and any data transfers to the US fall firmly within the scope of the UK Extension to the DPF.
The Commercial & IP Team at Berry Smith can provide specialist advice on data protection compliance, as well as general commercial and business advice.
Please contact us if you would like more information about the issues raised in this article or any other aspect of Commercial law at 029 2034 5511 or commercial@berrysmith.com