We recently reported that the EU-US data privacy network (EU-US data bridge) took effect to grant partial adequacy for certain data transfers from the EU to the US. On 12th October, the UK extension (UK-US data bridge) also took effect and will facilitate the transfer of personal data to the US without need for further safeguards.
Until 12th October, there was no adequacy decision relating to data transfers from the UK. Following the UK’s exit from the EU, the UK Government granted adequacy only in respect of the countries for which an EU adequacy decision had already been granted. At that time, there was no adequacy decision in place for the US, and so transfers of personal data under both EU GDPR and UK GDPR to the US required additional safeguards to be implemented before transfers could take place.
Unfortunately, UK businesses could not automatically rely on the EU-US data bridge and the UK Government had to legislate to enable the EU-US data bridge to be extended to apply to UK data exports.
In common with the EU-US data bridge, the UK-US data bridge is only a partial adequacy decision. It allows UK organisations to export personal data to US organisations which are self-certified under the FTC’s Data Privacy Framework (DPF) without also needing to put in place a transfer mechanism such as the UK International Data Transfer Agreement (IDTA) or a UK Addendum to the EU Standard Contractual Clauses (SCCs).
Self-certification under the DPF requires US organisations to commit to compliance with certain Data Privacy Framework Principles, to publish privacy policies and to provide details of their data processing activities.
The UK ICO expressed concern about various shortcomings, notably the lack of a legal requirement to specify certain special category personal data as sensitive personal data. Accordingly, the ICO recommends that UK organisations should identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US certified organisation. The ICO also pointed to a lack of protection of individuals against solely automated processing which would produce legal effects for them. In the increasingly important context of AI, it will be important to ensure that there are rights for individuals to obtain a human review of automated decision-making. Other concerns are that the right to be forgotten is not as extensive as the control individuals have under UK GDPR, and finally, that there are no protections for data relating to ‘spent’ criminal convictions to be deleted.
Certification status of a US organisation can be checked by making a search on the DPF website. US organisations which are already certified under the EU-US framework need to amend their certification to include the UK extension. Not all sectors qualify for self-certification under the DPF (those that do not qualify include banking, insurance, telecommunications and personal data gathered for journalistic purposes).
UK exporters still need to prepare Transfer Impact Assessments (TIAs) even when relying on the UK-US data bridge, however, and as we explained in our previous note, these will be much easier to conclude as reference can be made to the data importer’s DPF status. Data processing agreements are also still required.
As the UK-US data bridge is only a partial adequacy decision, UK organisations exporting personal data to the US where the US organisation is not certified under DPF will still need to implement another transfer mechanism, such as the IDTA or SCCs alongside their data processing agreements with US importers.
There remains uncertainty over the long-term future of the data bridge. Given the repeated challenges brought by Max Schrems against its predecessors, Schrems has already indicated that a challenge will be brought.
It may therefore be prudent for organisations exporting data outside of the UK in reliance on the UK-US data bridge to consider including a clause in their contracts that requires the parties to enter into an alternative transfer mechanism in the event that the data bridge is suspended or if the ICO or a UK court determines that the data transfers should be suspended.
The Department for Science, Innovation and Technology (DSIT) recently published its summary and initial conclusions from the first phase of an evaluation into the implementation of the ICO’s IDTA and approaches to data transfers. The evaluation (albeit very limited in scale) concludes that uptake of the IDTA has mainly been by large organisations with in-house data protection teams who tended to have a positive or neutral view of the ease of implementing and low costs relating to use of the IDTA. Unsurprisingly, smaller businesses were generally less aware of their obligations in relation to international data transfers and were mostly not aware of the IDTA or SCCs. They often relied on larger suppliers to drive the process and produce transfer mechanism documents.
For further commentary on the data bridge please see our previous note on the EU-US data bridge, and for advice on international data transfers and data protection compliance generally, our Data Protection & Privacy Team will be happy to assist you.