In July of this year, the European Commission ushered in a significant development in the world of data privacy by adopting its adequacy decision for the EU-US Data Privacy Framework (DPF). This decision granted a lawful basis for transferring personal data from European Economic Area (EEA) based organisations to US companies certified for the DPF. This decision was a monumental stride towards bridging the gap in data privacy standards between the EEA and the United States. However, it left a lingering question: “What about UK-US data transfers?” Fortunately, we now have an answer. The UK introduced the UK-US Data Bridge.
The UK-US Data Bridge
In a pivotal move, Michelle Donelan MP, the UK Secretary of State for Science, Innovation, and Technology, formally established a “UK-US data bridge,” aptly named the Data Bridge. This new framework proposes to provide a similar lawful basis for data transfers between the UK and the US as the EU-US DPF. Draft adequacy regulations were laid before Parliament in September 2023, with the framework set to come into force on October 12, 2023.
The Data Bridge extends the principles of the DPF to UK-US data transfers, ensuring that the same risk assessments and Executive Orders made by the US Government apply uniformly to personal data from both the EEA and the UK. This seamless approach benefits businesses with pan-European operations, simplifying their handling of transatlantic data transfers as long as the US-based data importer has opted in and been certified under the DPF.
Similar to the Privacy Shield and Safe Harbor regimes that preceded it, the DPF and the Data Bridge do not automatically deem every data transfer to the US as “safe.” Instead, they designate transfers to US organisations that adhere to DPF principles as safe recipients of personal data. These organisations commit to upholding General Data Protection Regulation (GDPR) principles regarding data transferred from the EEA or the UK. A list of DPF participants is available online for reference.
Challenges and Considerations
While the Data Bridge is a significant step forward, it has challenges. The Information Commissioner’s Office (ICO) has offered its opinion on the UK Government’s assessment of adequacy for the Data Bridge, raising some essential concerns:
- Sensitive Information: The definition of “sensitive information” under the Data Bridge lacks specificity regarding special categories of personal data, as outlined in Article 9 of the UK GDPR. Instead, it includes a catch-all provision, requiring UK organisations to identify biometric, genetic, sexual orientation, and criminal offence data as sensitive when sending it to US-certified organisations.
- Criminal Offense Data: The Data Bridge does not incorporate protections equivalent to the UK’s Rehabilitation of Offenders Act 1974, potentially posing risks for criminal offence data transferred to the US.
- Automated Decision-Making: The Data Bridge doesn’t provide a right similar to Article 22 of the UK GDPR, which protects individuals from decisions based solely on automated processing. This omission could be particularly relevant for data transfers involving AI systems.
- Right to Erasure and Withdrawal of Consent: The Data Bridge lacks substantial rights equivalent to the UK GDPR’s right to erasure (the “right to be forgotten”) and an unconditional right to withdraw consent. This reduces individuals’ control over their data when it leaves the UK.
Establishing the UK-US Data Bridge is a significant development for data privacy, allowing UK organisations to engage in lawful data transfers to US counterparts certified under the DPF. While this bridge has the potential to simplify transatlantic data transfers, it has its challenges, as identified by the ICO. The need for clear guidance, particularly regarding sensitive data and protections for various data types, remains vital to ensure the privacy rights of individuals are upheld.
As the UK moves forward with these adequacy regulations and the Data Bridge becomes operational, ongoing monitoring and assessment will be essential to address the identified concerns and maintain the delicate balance between data transfer facilitation and data protection.