On 21 September 2023, the Secretary of State for Science, Innovation and Technology laid before the UK Parliament the Data Protection (Adequacy) (United States of America) Regulations 2023 (the Regulations) in order to establish a UK-US “data bridge”. The Regulations will come into force on 12 October 2023.
The UK-US data bridge is the UK Government’s preferred terminology to describe its decision to permit the flow of personal data from the UK to the US, achieved through the UK Extension to the EU-US Data Privacy Framework. The Secretary of State’s decision to lay the Regulations before Parliament reflects her conclusion that the UK Extension to the EU-US Data Privacy Framework provides an adequate level of data protection and that UK data subject rights are not undermined.
This development follows the US Attorney General’s 18 September 2023 decision to designate the UK as a “qualifying state” for the purposes of eligibility for the redress mechanism established in section 3(f) of the Executive Order 14086. The US Attorney General determined that UK data protection laws required appropriate safeguards, that designation of the UK would advance the national interests of the US and further the implementation of a data bridge. This designation allows UK data subjects to seek redress if they believe their personal data was collected or processed by US authorities for national security purposes in a manner that violated applicable US law.
Therefore, from 12 October 2023, UK businesses may transfer personal data to US organisations certified under the UK Extension to the EU-US Data Privacy Framework without need for alternative safeguards such as standard contractual clauses.
Those US organisations that have committed to comply with the enforceable principles and requirements under the UK Extension to the EU-US Data Privacy Framework can be identified on the Data Privacy Framework List. Organisations not subject to the jurisdiction of the US FTC or the US DoT are not eligible to participate, such as banks, insurance and telecommunications companies.
Organisations should take care to review the nature and scope of transfers permitted in practice and to consider the steps that should be taken to effectively make those transfers in accordance with the new arrangements. For example, certain journalistic personal data may not be transferred in reliance of the UK-US data bridge. It will also be necessary to actively indicate to the US recipient organisation that it must treat genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning sexual orientation as sensitive information. Whilst these types of data are special categories of data under Article 9(1) UK GDPR, they are not designated as sensitive information under the UK Extension to the EU-US Data Privacy Framework. Specific identification to the data recipient is therefore required. There are also specific requirements regarding the transfer of certain criminal offence data.
In addition, organisations will need to update privacy policies and document their own processing activities as necessary to reflect any changes in how they transfer personal data to the US.
In exercising its function under the UK DPA 2018, the UK Information Commissioner issued an opinion in relation to the UK Government’s assessment of the UK Extension to the EU-US Data Privacy Framework. He stated that, while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied. Alongside the more general obligation on the Secretary of State to review and monitor the level of data protection offered by a third country, the Information Commissioner advised the Secretary of State to monitor the following areas such that differences in the US and UK regimes do not result in a reduction in data protection for UK data subjects:
- the definition of “sensitive information” (as noted above);
- the potential delta between the UK’s approach to criminal offence data and that in the US, such that equivalent protections may not exist for certain types of criminal offence data in the US;
- the lack of a substantially similar right to the protections under the UK GDPR regarding solely automated decision making (e.g. there is no right to obtain a human review of solely automated decisions); and
- the lack of a substantially similar right to the right to be forgotten and the right to withdraw consent unconditionally.
The Regulations are available here, the supporting documentation is available here, the Data Privacy Framework program is available here, the Data Privacy Framework List is available here, the ICO opinion is available here, the US press release is available here, the Executive Order here.