September 26, 2023
Data Protection Law

The UK – US Data Bridge is set to significantly ease the transfer of personal data from the UK to the US. From 12 October 2023, UK and US organisations will be able to use the UK – US Data Bridge to export/import UK personal data with more ease. 

Read on to find out more about the UK – US Data Bridge, and how it may impact your organisation or your personal data. 

Background

It is a well-known concept of data protection law in the UK/EU that electronically transferring personal data outside of those jurisdictions is a ‘restricted transfer’. 

In other words, it is unlawful unless certain exceptions apply. The rationale behind this provision in the original GDPR was to prevent the watering down of data subject rights by organisations simply removing personal data outside of the UK/EU – where UK/EU data protection regulators would have no authority. 

That said, the globalised nature of the world could have hardly been ignored. That is where the exceptions come into play. 

The main exception, pursuant to Article 45 UK GDPR, is that a restricted transfer may take place provided that it is to a destination country with ‘adequate’ status – adequate in the sense that the UK has determined that the destination country has the same or similar standard of data protection rights that the UK GDPR offers. 

Where a restricted transfer is to an adequate country, between the exporter and importer nothing else need be done. It should be noted, however, that the exporter/importer may have additional obligations under the UK GDPR, such as the Article 13(1)(f) UK GDPR requirement to notify the data subject that their personal data is being exported. 

If the destination country is not adequate, the exporter must put in place ‘appropriate safeguards’ to ensure that the data subject’s rights are protected in the destination country. There are various safeguards, as set out in Article 46 UK GDPR. The most frequently used are ‘standard contractual clauses’ published by the ICO. These contractual clauses (that either supplement or form a standalone agreement) ensure that data subjects have the contractual ability to enforce their data subject rights against the importer. When using standard contractual clauses, the exporter must first carry out a risk assessment to determine whether the exported personal data will be protected in the destination country.

Accordingly, there is an additional burden on both exporters and importers to ensure that additional safeguards are in place to protect the transferred personal data – and consequently to comply with the UK GDPR. That is why the list of adequate countries is so important to the smooth functioning of international data transfers. We have discussed the current list before here.

The list encompasses a fairly significant portion of the UK’s current trading relationships. But there is and has been a glaring omission: the US. The US accounts for a substantial amount of the UK’s trade flows, and most of the major technology and cloud computing companies used by UK businesses are based there. 

On 21 September 2023, the UK government laid The Data Protection (Adequacy) (United States of America) Regulations 2023 before Parliament (UK-US Data Bridge). This decision, which comes into effect on 12 October 2023, gives ‘adequate’ status to the US. This adequacy status is subject to certain conditions, which we explain below. 

Historical position

Historically, EU – US personal data transfers were governed by the EU – US Privacy Shield which went into effect on 12 July 2016. It provided EU personal data with additional protections if the data was sent to certain US organisations that registered with the EU – US Privacy Shield programme. Participating organisations in the EU – US Privacy Shield were deemed to be effectively ‘adequate’ for the purposes of the GDPR and no further documentation was required (as set out above). 

Ultimately, however, these protections were not deemed to be sufficient by the Court of Justice of the European Union in its famous Schrems II decision (binding on the UK). In that decision, it was held that the EU – US Privacy Shield did not sufficiently protect EU citizens from US government surveillance once that personal data was within the US (as the US authorities have the ability to view and intercept all electronic communications that flow through the US). The Schrems II decision also provided the legal rule under which EU/UK organisations must carry out a risk assessment before transferring personal data to non-adequate countries. 

The EU and the US entered into negotiations around a new agreement that would enable more seamless data flows between the EU and the US, in light of the Schrems II decision. Agreement was reached earlier in the year, and on 10 July 2023 the EU formally approved what is now known as the EU-US Data Privacy Framework. 

The UK has conducted parallel negotiations with the US. In essence, the UK-US Data Bridge tacks onto the EU-US Data Privacy Framework, and indeed utilises the same processes that US organisations are to use to receive personal data under the framework. 

UK – US Data Bridge in practice

The EU – US Data Privacy Framework is an opt-in scheme for US organisations to receive EU personal data under the Framework. US organisations can register with the US Department of Commerce here, but the certification itself is handled by the US Federal Trade Commission.

The main difference between the EU – US Data Privacy Framework and the previous Privacy Shield is that, under the Framework, there is an independent and binding redress mechanism for data subjects to ensure that EU data subjects can enforce their rights against US intelligence agencies, and a separate recourse mechanism for breaches by the US organisation. US organisations registering with the Framework will still need to commit to the protection of personal data to the UK/EU GDPR standard. 

US organisations can, in signing up for the Framework, select an option for them to receive UK personal data under the UK – US Data Bridge. So the UK – US Data Bridge folds into the EU mechanism, and can be considered together. 

Opting in to the UK – US Data Bridge

For US organisations that wish to benefit from the UK – US Data Bridge/EU – US Privacy Framework, it must meet particular requirements before applying. A summary of these requirements is as follows:

  • Publish a compliant privacy policy – in short this would be a privacy policy up to the EU/UK standard. There are also additional requirements for the US organisation to state that it is compliant with the EU – US Privacy Framework and to specify the particular independent recourse that the US organisation has joined (more on this below). 
  • Ensure that the technical and organisation measures in place to protect personal data are at the EU/UK GDPR standard. 
  • The US organisation must subscribe to a private third-party arbitration service that data subjects may revert to if they consider that the US organisation is in breach of the UK/EU GDPR free of charge.  
  • The US organisation must pay a contribution to the US Department of Commerce’s arbitration fund, which data subjects may utilise if they wish to obtain a binding and enforceable decision in respect of the US organisation’s handling of personal data. 
  • Designate a point of contact that UK/EU data subjects can contact at the US organisation and who has sufficient authority to verify that the US organisation is compliant with the EU – US Privacy Framework.  

There are slightly different requirements if only employee related data is being transferred to a US affiliate or third-party service provider of a UK/EU exporter of personal data. 

Once it meets these requirements, the US organisation must simply register its information at the Department of Commerce website. Once approved, UK-US data flows can proceed at the ‘adequate’ standard. 

It should be noted that, where the UK/EU organisation is the controller of the exported personal data and the US organisation is a processor, there must be a contract in place between these entities in compliance with Article 28 UK GDPR. This is a standard obligation that applies whether or not personal data is being exported. 

Challenges ahead?

The EU – US Privacy Framework has already encountered significant challenges within the EU. A French MEP has filed claims in the European Court of Justice seeking to invalidate the EU – US Privacy Shield, and Max Schrems is reportedly considering his options. Without a federal privacy law in the US that prevents the mass collection personal data for intelligence purposes, it appears that any US – EU agreement may face a ‘Schrems III’. 

Despite Brexit, the UK – US Data Bridge effectively hinges on the outcome of these challenges. Whilst any European Court of Justice decision would not be binding on the UK, if the EU – US Privacy Framework was to fall away it is unlikely that the UK – US Data Bridge would survive. The approval and regulatory mechanisms within the US have been built entirely around the EU’s needs, and, as above, the UK has been subsumed into those requirements to the extent that US organisations do not need to pay twice to become certified and receive EU and UK data subjects’ personal data. 

Next steps

At EM Law, we are experts in data protection. We have extensive experience advising US businesses in respect of their potential obligations under the GDPR, and we have helped many UK organisations export personal data to the US and around the world. 

If you are a potential UK personal data exporter or if you are a US organisation looking for UK/EU GDPR advice, you have come to the right place. Please do not hesitate to contact Neil Williamson or Colin Lambertus directly, or the firm via our contact page here.