Out-Law News 2 min. read
22 Sep 2023, 1:58 pm
A new framework designed to promote business between the UK and US, by facilitating the free flow of personal data between the two countries, will begin to apply from 12 October.
The UK-US ‘data bridge’ is an extension to the EU-US Data Privacy Framework (DPF), which was adopted and took effect in July.
The DPF sets out a series of privacy principles that eligible US organisations can self-certify against on an opt-in basis. The certification scheme is underpinned by legal safeguards and oversight mechanisms that are designed to ensure that personal data transferred from the EU to the US is subject to essentially equivalent data protection standards that apply to the data when it is in the EU. In adopting the DPF in a so-called ‘adequacy decision’, the European Commission has essentially recognised that data transferred to the US in line with the requirements of the framework is done so in a way that complies with EU data protection laws.
With the new UK-US bridge US organisations will have the option to extend their DPF certification to include UK-US data transfers. The regulations to facilitate this have been laid before the UK parliament and are due to come into force on 12 October. The regulations give effect to the UK’s own ‘adequacy decision’ in respect of the transfer of personal data to the US.
Data protection law expert Jaya Handa of Pinsent Masons said: “The UK-US data bridge will be welcome news for many organisations as it has the potential to reduce administrative costs on businesses and increase opportunities for international trade. International collaboration is fundamental to harness the global opportunities presented by data and the UK-US bridge aims to act as a catalyst for such innovation.”
“Many multinationals have struggled with streamlining processes for data transfers out of Europe in the absence of a UK extension to the EU-US agreement. Politically, extending the EU-US framework negates the risk of the UK diverging from the EU’s equivalency expectations. Operationally, organisations can now explore opportunities to update transfer processes and be more confident in the robustness of their data flows. UK individuals will also have greater certainty that there are stronger safeguards protecting their rights and freedoms when their data is transferred to the US,” she said.
“Regardless of the transfer mechanism used, appropriate due diligence and remediation is still required in advance of international transfers. Organisations should also be aware that there are likely to be challenges to the UK-US data bridge aligned with the challenges to the EU-US Data Privacy Framework,” Handa said.
The UK’s data protection authority, the Information Commissioner’s Office (ICO), said that while it was “reasonable” for the UK government to issue an adequacy decision in respect of the US, it has identified “four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied”.
One of those concerns raised by the ICO relates to how ‘sensitive data’ is defined in the UK-US data bridge. It said the term has a narrower definition than the equivalent ‘special category data’ definition in UK data protection law and that this “creates a risk that the protections [that should be applied to special category data] may not be applied in practice”. The UK government has proposed issuing guidance to address this.
Another concern raised by the ICO relates to the extent to which protections applicable to the processing of criminal offence data under UK law have been mapped over into the UK-US data bridge. It has also queried whether the UK-US data bridge provides sufficient safeguards in relation to automated decision-making and said data subjects will have less degree of control over how their data is processed under the framework than they do under UK data protection law.
11 Jul 2023
09 Jun 2023