Why should I read this?
A new UK-US data bridge will be available to businesses in the UK looking to transfer personal data to organizations in the United States certified under the UK Extension to the EU-US Data Privacy Framework (UK Extension) from 12 October 2023, without the need for an additional transfer safeguard such as the UK’s International Data Transfer Agreement or Addendum to the EU Standard Contractual Clauses.
This is positive news for UK organizations. It expands the options available for transfers of personal data from the UK to the US. Organizations sending personal data to importers participating in the UK Extension will not need to carry out a transfer risk assessment. The development also brings the UK’s data transfer rules back in step with the EU.
However, organizations should note that in their review of the UK-US data bridge, the UK’s Information Commissioner (ICO) identified areas that “could pose some risks” to UK data subjects if the protections identified (including clearly specifying any transfers of sensitive personal data) are not properly applied.
Background
The UK’s Secretary of State can specify that a country outside the UK ensures an adequate level protection of personal data, by making adequacy regulations (or data bridges as the UK Government prefers to call them). This is one way in which organizations subject to UK data protection law (the UK GDPR and Data Protection Act 2018) can transfer personal data out of the UK without the need for additional safeguards, such as the UK’s International Data Transfer Agreement or UK Addendum to the EU Standard Contractual Clauses.
In July, we reported that the European Commission adopted an adequacy decision in respect of the EU-US Data Privacy Framework (DPF), which enables organizations to transfer personal data freely from the EU to US companies participating in the DPF. At the time, the US Department of Commerce (DoC) confirmed that eligible US organizations would be able to self-certify compliance pursuant to a UK Extension to the DPF from 17 July 2023, but could not rely on the UK extension to receive personal data transfers from the UK before the date that the UK’s relevant adequacy regulations enter into force.
The Department for Science, Innovation and Technology (DSIT) has now announced that the UK’s new adequacy regulations were laid in Parliament on 21 September 2023, following the US Attorney General’s designation of the UK as a “qualifying state” under Executive Order (EO) 14086 earlier that week. The designation enables UK individuals whose personal data is transferred to the US (under any transfer mechanisms) access to a newly established redress mechanism where they believe that their personal data has been accessed unlawfully by US authorities for national security purposes. As with the DPF, this designation under EO14086 was a significant factor that led to UK’s successful adequacy regulations assessment.
The adequacy regulations will come into force on 12 October 2023. From this date, organizations based in the UK will be able to transfer personal data to organizations certified under the UK Extension without needing to put in place alternative safeguards.
Reminder of how the UK Extension to the EU-US DPF works
The EU-US DPF is a voluntary self-certification based framework of principles providing protections for personal data transferred from the EU to certified US organizations. In order to self-certify, eligible US organizations must agree to comply with the principles and make a public commitment to do so via a published privacy policy. The DPF principles comprise commitments in relation to data protection and set out requirements on how an organization collects, processes and discloses personal data. The DPF is administered by the US Department of Commerce (DoC), which processes applications for certification and monitors whether participating companies continue to meet their certification criteria. The US Federal Trade Commission (FTC) is responsible for enforcing compliance with the DPF.
Only US organizations subject to the jurisdiction of the FTC or the US Department of Transportation (DoT) can participate in the DPF program. Therefore, organizations falling outside the jurisdiction of the FTC or DoT — for example, banking, insurance, and telecommunications companies — are currently not able to self-certify under the DPF.
The protections provided by the DPF do not extend to journalistic data – which includes personal information gathered for publication, broadcast, or other forms of public communication of journalistic material.
The DoC agreed to extend the DPF to personal data transferred from the UK to certified US organizations, under what is known as the UK Extension. Where an organization has self-certified under the DPF, it may elect to also be certified under the UK Extension by making additional UK-specific commitments as part of their outward-facing commitments and by indicating their participation in the UK Extension to the DoC.
The UK’s Secretary of State is required to monitor, on an ongoing basis, developments in the US which might affect the protection provided for transfers under the UK Extension, In addition, the Secretary of State must undertake a review of whether there continues to be an adequate level of protection under the UK Extension every four years.
Information Commissioner’s Opinion on the UK Extension to the EU-US DPF
But is the devil in the detail? As part of its announcement, DSIT published a number of supporting documents, including the Information Commissioner’s opinion: UK government’s assessment of the UK Extension to the EU-US Data Privacy Framework. In its opinion, the Information Commissioner highlighted four areas that “could pose some risks to UK data subjects if the protections identified are not properly applied”. In light of these risk areas, the Commissioner gave only a qualified assurance to Parliament in respect of the UK-US data bridge.
The Information Commissioner notes that the definition of “sensitive information” under the UK Extension does not explicitly refer to biometric, genetic, sexual orientation and criminal offence data. Instead, it includes a catch-all provision stating that “…any other information received from a third party that is identified and treated by that party as sensitive”. According to the Information Commissioner, to address this gap, UK organizations transferring personal data on the basis of the UK-US data bridge should identify biometric, genetic, sexual orientation and criminal offence data as “sensitive data” upon transfer so that it is sufficiently treated as such under the UK Extension. There is a risk that where such data is not identified as sensitive upon transfer, then it will not be sufficiently protected. In line with the Information Commissioner’s advice, DSIT has published a factsheet which states that special category and sensitive data can be shared with US organizations under the DPF, however this must correctly be identified by UK organizations as such when it is being shared. However, this recommendation has not been formally ratified in the relevant statutory instrument – the adequacy regulations.
The Information Commissioner also observes that, as far as they are aware, there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974 (ROA), which limits the use of data relating to ‘spent’ convictions following the relevant rehabilitation period e.g. ability to request that this data is deleted. It is unclear how these protections would apply once this type of data is transferred to the US. The DSIT factsheet states that when sharing criminal offence data it should be indicated to the US recipient organization that it is sensitive data requiring additional protections (as for other special categories of personal data, above), but is silent on the point around ROA point.
Further, the UK Extension does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual – a right which is becoming more and more valued by individuals against the backdrop of burgeoning use of AI. In addition, the UK Extension contains neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent. Again, the DSIT factsheet is silent on these points.
The Commissioner recommends that the Secretary of State should: (i) evaluate the effectiveness of the guidance (issued in respect of indicating sensitive personal data) in affecting practice; and (ii) monitor the relevant risk areas so that the differences in UK and US law do not result in a reduction in protections for data subjects.
What should I do?
UK organizations transferring personal data to the US on the basis of the UK Extension to the DPF should take the following steps:
- Confirm the data importer (the US recipient) has an active DPF certification. You can do this by going to the DPF List and checking the alphabetical list or by using the organization search bar.
NB When importing HR data specifically, US organizations must have highlighted this on their certification.
- Confirm that the data importer has signed up to the UK Extension.
NB If you want to transfer HR data, you should confirm that HR data is covered by the organization’s DPF commitments. This can be done by checking the relevant privacy policy or policies for HR data and/or non-HR data, these policies are located under the “Privacy Policy” section of the importer’s DPF program record.
- If the personal data you are transferring includes any genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning sexual orientation or criminal offense data, then explicitly identify it as “sensitive” to the data importer, to ensure it attracts the appropriate protections under the DPF.
- Consider adopting an alternative fallback safeguard (e.g. the UK Addendum to the EU Standard Contractual Clauses) as an extra layer of protection, in case the UK-US data bridge is invalidated. (see our further commentary on this point below)
Transfer impact assessments (TIA): If you are transferring personal data to the US on the basis of the UK Extension to the DPF, you will not need to conduct a TIA. The DSIT was silent on whether the UK-US data bridge means that UK organizations transferring personal data to the US on the basis of other transfer safeguards (e.g. the UK Addendum to the EU Standard Contractual Clauses) still need to conduct a TIA. However, it is possible that they do not – this would align with the rationale taken in the European Commission's Q&A on the EU-US DPF (see question 7). A prudent approach for those organizations would be to put in place a very short TIA which signposts out to the UK-US data bridge and its supporting documentation.
What else do I need to know about the UK-US data bridge?
The EU-US DPF is already under threat – an application for annulment of the EU-US DPF has recently been made by a member of the French Parliament. As we have noted previously, the DPF’s predecessors, the Safe Harbour Privacy Principles and the EU-US Privacy Shield were invalidated by the CJEU in 2015 and 2020 respectively, following legal challenges. It remains to be seen whether the UK-US data bridge will prove to be as futile. We will keep you updated in this regard.
For the time being, the UK-US data bridge provides a legitimate mechanism for organizations in the UK looking to transfer personal data to the US, as long as the steps outlined above are taken.
[View source.]
