Transfers Between the UK and the US Now Subject to an Adequacy Decision
The UK Department of Science, Innovation and Technology (DSIT) announced on September 21 that the UK Extension to the EU-U.S. Data Privacy Framework (the Data Bridge) will enter into force on October 12. The Data Bridge will allow certifying entities to easily transfer personal data from the UK to the U.S., which would otherwise be prohibited under the UK General Data Protection Regulation (UK GDPR) without transfer mechanisms (such as the standard contractual clauses (SCCs) or binding corporate rules (BCRs)).
Background: The EU-U.S. Data Privacy Framework
As previously discussed, the European Commission adopted an adequacy decision in favor of the EU-U.S. Data Privacy Framework (DPF) on July 10. The DPF is a replacement for the EU-U.S. Privacy Shield, which was declared invalid by the Court of Justice of the European Union (CJEU) in the Schrems II decision of July 2020. The adequacy decision followed the adoption of Executive Order on Enhancing Safeguards for United States Signals Intelligence Activities by President Biden on October 7, 2022 (EO14086). For EU citizens whose personal data is transferred to the U.S., EO14086 provides:
- Binding safeguards that limit access by U.S. intelligence authorities to what is “necessary and proportionate” to protect national security
- The establishment of an independent and impartial redress mechanism, that includes a new data protection review court (DPRC) to investigate and resolve complaints regarding access to data by U.S. national security authorities
Not all U.S. companies may self-certify to the DPF. U.S. organizations that are not subject to the jurisdiction of either the Federal Trade Commission (FTC) or the Department of Transportation (DoT) cannot participate.
Perhaps not unexpectedly, on July 10, privacy activist group NOYB, which was founded by Maximilian Schrems, announced that it will be challenging the DPF on the basis that it is largely a copy of the Privacy Shield. If successful, Schrems III could see the DPF declared invalid like the Safe Harbour and the Privacy Shield before it.
UK Data Transfers, Post-Brexit
As the UK is no longer a member of the European Union, the DPF does not automatically enable the transfer of personal data from the UK to the U.S. Transfers of personal data from the UK will require a Data Bridge, which was agreed to in principle between the UK and U.S. governments on June 8.
On September 21, DSIT published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-U.S. Data Privacy Framework (the Regulations). The Regulations provide that for the purposes of the UK GDPR and the Data Protection Act 2018, the Secretary of State considers that the U.S. provides an adequate level of protection for personal data for certain types of transfers.
In order for UK data exporters to be able to rely on the Data Bridge, the U.S. importer must have self-certified to the DPF and the Data Bridge. Transferred personal data must be handled in accordance with the DPF principles upon receipt by the U.S. data importer.
The UK data protection authority, the Information Commissioner’s Office (ICO), has expressed reservations concerning the Data Bridge, which are as follows:
- Entities may not appropriately protect sensitive data: The Data Bridge definition of “sensitive data” does not match that of the UK GDPR, as the definition that appears in the Data Bridge does not specify all of the special categories of personal data identified in Article 9 UK GDPR. In addition, the Data Bridge definition includes a catch-all provision specifying “... any other information received from a third party that is identified and treated by that party as sensitive.” This discrepancy means that UK exporters will need to identify biometric, genetic, sexual orientation, and criminal offense data as “sensitive data” when sending information to the U.S. However, nothing in the UK GDPR currently requires UK organizations to identify information as sensitive. This means that protections for special categories of personal data may not be applied in practice.
- Criminal offense data may be less protected in the United States: In relation to criminal offense data, the U.S. does not provide protections equivalent to those set out in the UK’s Rehabilitation of Offenders Act 1974, which places limits on the use of data relating to criminal convictions when those convictions have been “spent” following the relevant rehabilitation period, including the ability to request that such data be deleted. The ICO observes that it is not clear how these protections would apply to information that has been transferred to the U.S.
- Individuals have less privacy rights: The Data Bridge does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would result in legal or similarly significant effects on the data subject. In particular, the Data Bridge does not include a right to have an automated decision reviewed by a human.
In addition, the Data Bridge does not include a substantially similar “right to be forgotten” or to withdraw consent. While the Data Bridge gives individuals some control over their personal data, it is not as extensive as the rights they enjoy in the UK.
UK companies that are unable to rely on the Data Bridge for transfers of personal data to the U.S. may still rely on other safeguards, namely SCCs or BCRs. However, as with the DPF, there are specific requirements for transfers from the UK.
UK exporters that rely on the SCCs to transfer personal data to the U.S. or other third countries must be aware that the EU SCCs can no longer be used for new agreements for data transfers from the UK. The EU SCCs must either be appended with the UK Addendum to the EU SCCs or UK data exporters should use the UK International Data Transfer Agreement (IDTA) instead. UK data exporters that have already concluded contracts based on the EU SCCs on or before September 21, 2022 may continue to rely on the EU SCCs until March 21, 2024. After this time, UK exporters must adopt either the IDTA or the EU SCCs with the UK Addendum. UK exporters must also carry out a Transfer Risk Assessment (TRA) before they transfer personal data using the SCCs, using either the ICO TRA tool or guidance published by the European Data Protection Board (EDPB).
Note that EU BCRs no longer automatically enable the transfer of personal data from the UK to third countries for which multinational organizations must have in place UK BCRs. Multinational corporations that have in place EU BCRs for which the ICO did not act as the lead data protection authority and where the ICO did not issue an authorization were eligible for UK BCRs provided they met certain conditions. These conditions included the submission of updated documentation to the ICO by June 30, 2021. The ICO advises those organizations which have in place EU BCRs, but which have not applied for UK BCRs, to avoid delay in making the necessary application.
© Arnold & Porter Kaye Scholer LLP 2023 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.