The 12th October 2023 saw the introduction of the UK-US Data Bridge (‘the Data Bridge’), transforming the way both nations handle the flow of information across their borders.
Pre-Data Bridge
Before the Data Bridge, the lawful transfer of personal data from an organisation based in the UK to a counterpart in the US was governed by complex regulations, specifically the EU-US Privacy Shield (‘the Privacy Shield’), the EU General Data Protection Regulation (‘UK GDPR’) and the UK General Data Protection Regulation (‘UK GDPR’).
EU-US Privacy Shield
From July 2016 until July 2020, the Privacy Shield partially governed the exchange of personal data between the US and EU (and then the UK, post-Brexit) for commercial purposes. Its purpose was to enable US organisations to easily receive personal data from EU entities under EU privacy laws, which intended to protect EU citizens. After concerns about the US government surveillance practices and their impact on the privacy of EU citizens’ personal data, the Privacy Shield was invalidated by the European Court of Justice in 2020, creating uncertainty in the transatlantic data-sharing network.
Alternative Data Transfer Mechanisms
By removing the Privacy Shield, UK organisations wishing to transfer personal data to the US had to rely on alternative data transfer mechanisms such as Standard Contractual Clauses (‘SCCs’) and Binding Corporate Rules (‘BCRs’).
Most UK organisations relied on SCCs to lawfully transfer personal data to the US following the demise of the Privacy Shield. However, SCCs were only deemed a lawful mechanism if the data exporter also carried out a potentially complex transfer impact assessment to consider whether the protection for UK data subjects under the UK data protection regime would be undermined by US laws.
In March 2022, the International Data Transfer Agreements (IDTAs) superseded the EU SCCs in the UK after the UK GDPR replaced the EU GDPR in January 2021. IDTAs operate in a similar way to SCCs and therefore, need to be accompanied by a transfer risk assessment to ensure that the transfer adequately protects the rights of UK data subjects.
EU-US Data Privacy Framework
On 25th March 2022, the US and EU announced the EU-US Data Privacy Framework (‘DPF’) which provided a mechanism for personal data to transfer safely from the EU to US organisations participating in the DPF, without the need for additional data protection safeguards. This came into force on 10th July 2023 after the European Commission’s decision that the US ensures an adequate level of protection for personal data transferred under the new framework.
UK-US Data Bridge
The Data Bridge is the UK extension to the DPF, allowing personal data to be transferred from the UK to organisations in the US which are participating in the DPF, with no further safeguards necessary. However, any transfer under the UK extension must be made to a DPF-certified US organisation which has opted into the UK extension. Additionally, any data transferred by this method which is ordinarily covered by the UK GDPR will be subject to the principles of the DPF.
To self-certify, eligible US organisations must agree with the DPF principles, which provide data protections for personal data transferred from the EU. Following this, they must make a public commitment to comply via a published privacy policy. The principles impose commitments in relation to data protection and set out requirements on how an organisation collects, processes, and discloses personal data.
Certain categories of personal data that are treated as ‘special category’ data under the UK GDPR are no considered ‘sensitive’ information under the DPF unless they have been identified as sensitive by the transferring organisation. The categories that must be expressly flagged as sensitive are:
- Biometric data;
- Data concerning sexual orientation;
- Genetic data; and
- Criminal offence data.
The following rights are not protected under the DPF but are provided for the in the UK GDPR:
- The right to be forgotten under the UK GDPR;
- The rights under the UK GDPR relating to decisions based solely on automated processing; and
- The unconditional right to withdraw consent to data processing.
Before relying on the Data Bridge as a valid transfer mechanism, UK businesses should ensure that all pre-transfer requirements and considerations are satisfied and made.
Benefits
- Legal clarity – the Data Bridge provides a clear legal framework for data transfers, reducing uncertainty for businesses and individuals in both the UK and US.
- Enhanced security – agreement prioritises data security, ensuring that personal data remains safe during transit and storage.
- Reduced compliance costs – administrative obligations under the Data Bridge are much reduced compared to those under alternative compliance measures. The Data Bridge therefore represents a more cost-effective means for businesses to operate in the UK and US.
- Swift dispute resolution – Data Bridge includes mechanisms for swift resolution of data-related disputes, reducing the need for lengthy legal battles and associated costs.
Challenges
- Data privacy – it has been suggested that the agreement may no go far enough in safeguarding data privacy – it is crucial for governments and businesses to strike the right balance between data and individual privacy rights.
- Security risks – as data sharing becomes more streamlined, there is always the risk of increased exposure to security threats.
- Regulatory compatibility – Data Bridge must work in harmony with existing data protection regulations like the UK GDPR and US Privacy Act to ensure a seamless and compliant data-sharing environment.
If your business requires advice on its compliance with the Data Bridge, our data protection lawyers can help. For further information please contact James Simpson 01494 478689 on or email jfs@blasermills.co.uk.
This article is not intended to constitute legal advice and you should not take, or refrain from taking, any action based on the information which it contains. Always seek the services of a professional legal adviser.