A new UK-US data bridge is to be made available to businesses in the UK. It will enable bodies looking to transfer personal data to organizations in the US certified under the UK Extension to the EU-US Data Privacy Framework (DPF) from October 12, 2023, and removes the need for an additional transfer safeguard such as the UK’s International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses.
This is positive news for UK organizations because it expands the options available for transfers of personal data from the UK to the US. Organizations sending personal data to importers participating in the UK Extension to the EU-US DPF will not need to carry out a transfer risk assessment. The development also brings the UK’s data transfer rules back in step with the EU.
However, organizations should note that in their review of the UK-US data bridge, the UK’s Information Commissioner (ICO) identified areas that “could pose some risks” to UK data subjects if the protections identified (including clearly specifying any transfers of sensitive personal data) are not properly applied.
Background to data bridges
The UK’s Secretary of State can specify (by making adequacy regulations – or “data bridges” as the UK Government prefers to call them) that a third country ensures an adequate level protection of personal data. This is one way in which organizations subject to UK data protection law (the UK GDPR and Data Protection Act 2018) can transfer personal data out of the UK to a third country without the need for additional safeguards, such as the standard contractual clauses.
In July, we reported that the European Commission adopted an adequacy decision in respect of the EU-US Data Privacy Framework (DPF), which enables organizations to transfer personal data freely from the EU to US companies participating in the DPF. At the time, the US Department of Commerce (DoC) confirmed that eligible US organizations would be able to self-certify compliance pursuant to the UK extension to the EU-US DPF from July 17, 2023, but could not rely on the UK extension to receive personal data transfers from the UK before the date that the UK’s relevant adequacy regulations enter into force.
The UK Department for Science, Innovation and Technology (DSIT) has now announced that the country’s new adequacy regulations were laid in Parliament on September 21, 2023, following the US Attorney General’s designation of the UK as a “qualifying state” under Executive Order (EO) 14086 earlier in the week. The designation enables UK individuals whose personal data is transferred to the US (under any transfer mechanisms) access to a newly established redress mechanism where they believe that their personal data has been accessed unlawfully by US authorities for national security purposes. As with the DPF, this designation under EO14086 was a significant factor that led to UK’s successful adequacy regulations assessment.
The adequacy regulations will come into force on October 12, 2023. From this date, organizations based in the UK will be able to transfer personal data to organizations certified under the UK Extension to the DPF without needing to put in place alternative safeguards such as the UK’s International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.
How UK extension to EU-US DPF works
The EU-US DPF is a voluntary self-certification framework of principles providing protections for personal data transferred from the EU to certified US organizations. In order to self-certify, eligible US organizations must agree to comply with the principles and make a public commitment to do so via a published privacy policy.
Organizations that are not subject to the jurisdiction of the FTC or Department of Trade cannot participate in the DPF. The DPF principles comprise commitments in relation to data protection and set out requirements on how an organization collects, processes and discloses personal data. The DPF is administered by the US Department of Commerce (DoC), which will process applications for certification and monitor whether participating companies continue to meet their certification criteria. The US Federal Trade Commission will enforce compliance with the DPF.
The DoC agreed to extend the DPF to personal data transferred from the UK to certified US organizations, under what is known as the UK Extension. Where an organization has self-certified under the DPF, it may elect to also be certified under the UK Extension by making additional UK-specific commitments as part of its outward-facing commitments and by indicating participation in the UK Extension to the DoC. The DPF’s protections do not extend to journalistic data – which includes personal information gathered for publication, broadcast, or other forms of public communication of journalistic material.
Only US organizations subject to the jurisdiction of the US Federal Trade Commission or the US Department of Transportation can participate in the DPF program. Therefore, organizations falling outside the jurisdiction of the FTC or DoT — for example, banking, insurance, and telecommunications companies — are currently not able to self-certify under the DPF.
The Secretary of State is required to monitor, on an ongoing basis, developments in the US which might affect the protection provided for transfers under the UK Extension, In addition, the Secretary of State must undertake a review of whether there continues to be an adequate level of protection under the UK Extension every four years.
Information Commissioner’s opinion
But is the devil in the detail? As part of its announcement, DSIT published a number of supporting documents, including the Information Commissioner’s opinion: UK government’s assessment of the UK Extension to the EU-US Data Privacy Framework. In its opinion, the Information Commissioner highlighted four areas that “could pose some risks to UK data subjects if the protections identified are not properly applied”.
In light of these risk areas, the Commissioner gave only a qualified assurance to Parliament in respect of the regulations. The Commissioner recommended that the Secretary of State should:
- evaluate the effectiveness of the guidance issued in respect of indicating sensitive personal data, in affecting practice;
- monitor the relevant risk areas so that the differences in UK and US law do not result in a reduction in protections for data subjects.
The Information Commissioner notes that the definition of “sensitive information” under the UK Extension does not explicitly refer to biometric, genetic, sexual orientation and criminal offence data. Instead, it includes a catch-all provision stating that “…any other information received from a third party that is identified and treated by that party as sensitive.” According to the Information Commissioner, to address this gap, UK organizations transferring personal data on the basis of the UK-US data bridge should identify biometric, genetic, sexual orientation and criminal offence data as “sensitive data” upon transfer so that is sufficiently treated as such under the UK Extension.
Special category data
However, this recommendation has not been formally ratified in the relevant statutory instrument – the adequacy regulations. So there is a risk that where such data is not identified as sensitive upon transfer, then it will not be sufficiently protected. In line with the Information Commissioner’s advice, DSIT has published a factsheet which states that special category and sensitive data can be shared with US organizations under the DPF. However, this must correctly be identified by UK organizations as such when it is being shared.
The Information Commissioner also observes that, as far as they are aware, there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974 (ROA), which limits the use of data relating “spent” convictions following the relevant rehabilitation period, for example the ability to request that this data is deleted. It is unclear how these protections would apply once this type of data is transferred to the US. The DSIT factsheet states that when sharing criminal offence data it should be indicated to the US recipient organization that it is sensitive data requiring additional protections (as for other special categories of personal data, above), but is silent on the point around ROA point.
Further, the UK Extension does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual. In addition, the UK Extension contains neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent. Again, the DSIT factsheet is silent on this point.
What should I do?
UK organizations transferring personal data to the US on the basis of the UK Extension to the DPF should take the following steps:
- Confirm the data importer (the US recipient) has an active DPF certification. You can do this by going to the DPF List and checking the alphabetical list or by using the organisation search bar. Note that when importing HR data specifically, US organizations must have highlighted this on their certification.
- Confirm that the data importer has signed up to the UK Extension.
If you want to transfer HR data, you should confirm that HR data is covered by the organization’s DPF commitments. This can be done by checking the relevant privacy policy or policies for HR data and/or non-HR data. These policies are located under the “Privacy Policy” section of the importer’s DPF program record. - If the personal data you are transferring includes any genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning sexual orientation or criminal offence data, then explicitly identify it as “sensitive” to the data importer, to ensure they attract the appropriate protections under the DPF.
- Consider adopting an alternative fallback safeguard (for example the UK Addendum to the EU Standard Contractual Clauses) as an extra layer of protection, in case the UK-US data bridge is invalidated (see our further commentary on this point below).
If you are transferring personal data to the US on the basis of the UK Extension to the DPF, you will not need to conduct a Transfer Impact Assessment (TIA). The DSIT was silent on whether the UK-US data bridge means that UK organizations transferring personal data to the US on the basis of other transfer safeguards. For example, the UK Addendum to the EU Standard Contractual Clauses still need to conduct a TIA. However, it is possible that they do not – this would align with the rationale taken in the European Commission’s Q&A on the EU-US DPF (see question 7). A prudent approach for those organizations would be to put in place a very short TIA which signposts out to the UK-US data bridge and its supporting documentation.
What else do I need to know ?
The EU-US DPF is already under threat. An application for annulment of the EU-US DPF has recently been made by a member of the French Parliament. As we have noted previously, the DPF’s predecessors, the Safe Harbor Privacy Principles and the EU-US Privacy Shield were invalidated by the CJEU in 2015 and 2020 respectively, following legal challenges. It remains to be seen whether the UK-US data bridge will prove to be as futile. We will keep you updated in this regard.
For the time being, the UK-US data bridge provides a legitimate mechanism for organizations in the UK looking to transfer personal data to the US, as long as the steps outlined above are taken.
Paula Barrett, a partner in the London office, co-leads the global cybersecurity and privacy practice. Partner Michael Bahar is a litigation attorney in Eversheds Sutherland’s Washington DC office; and the co-lead of the firm’s global Cybersecurity and Data Privacy practice.
With thanks to Lizzie Charlton.