The UK and US have long been likeminded allies, promoting cross-border business relationships. With that in mind, it is surprising that the US and UK have (until recently) had an inharmonious relationship when it comes to data sharing. This is primarily due to an EU decision in Schrems II that found that the original ‘privacy shield’ designed to support data sharing between the EU (and UK) and the US was inadequate. In an effort to bolster this relationship, the UK has now become party to a new EU-US data bridge.
What does this mean for UK organisations?
Transferring personal data to countries outside of the UK has long required careful consideration to ensure compliance with data protection law.
To ensure individuals are afforded the same level of protection as they would under UK law, when their data is transferred to an organisation in another country, under UK GDPR, personal data can be freely transferred to a country that is covered by an ‘adequacy decision’.
In this case the UK has decided to piggy-back on the European Union’s adequacy decision that covers the EU-US privacy framework for international transfers of data between the US and the EU. The resulting UK adequacy decision is an extension of that framework.
Strictly speaking, the EU Commission issues adequacy decisions and the UK passes ‘adequacy regulations’. In an attempt to make data protection terminology just a little bit more accessible, the UK has recently taken to calling these measures a data bridge.
Having a data bridge with a country means that the UK has deemed that country to provide an adequate level of data protection. The benefit of having a data bridge in place is that it allows a more straightforward process to transfer personal data to that country or territory.
A data bridge already exists for transfers to a number of territories, including the EEA, Switzerland, New Zealand and Argentina as well as Gibraltar, Jersey, Guernsey and the Isle of Man. Partial data bridges also exist for Canada and Japan, offering more straightforward data sharing in limited circumstances.
To ensure that both the data controller and receiver are legally bound to adhere to data protection principles, data transfers to countries without a data bridge from the UK will require appropriate safeguards before personal data can be transferred cross-border.
These safeguards are listed in Article 46 of the UK GDPR and include:
Relying on a mechanism listed above also requires the organisation to carry out a transfer risk assessment or TRA. This isn’t always a straightforward exercise.
The UK extension to the EU-US Data Privacy Framework (DPF) allows organisations to become certified for data sharing purposes. Certification under the DPF means that sharing data with these organisations no longer requires the appropriate safeguards noted above. The removal of the requirement for a TRA for these UK/US data transfers will also be welcomed, as this is widely hailed as a complex and cumbersome exercise.
Like those in place for Japan and Canada, the UK/US data bridge is a partial bridge. Only some US organisations will have signed up to the DPF. For organisations which are not certified, the rules remain unchanged.
The DPF is an opt-in system and organisations must sign up through an online self-certification process. Before sharing information with a US organisation under the bridge, you must confirm that they are certified as a participant to the DPF. This can be done by searching the DPF list: Home (dataprivacyframework.gov).
Organisations in the banking, telecoms and insurance sector will be automatically excluded as they do not fall under the jurisdiction of the regulatory bodies who have facilitated the data bridge. Furthermore, any organisations previously registered under the EU/US bridge will need to amend their certification to include the UK following the extension.
If you are not satisfied that the organisation meets the DPF requirements, transferring data should be done by reverting to the pre-existing appropriate safeguards and risk assessments mentioned above.
Importantly, certification does not mean there is a catch-all free pass for data sharing. Information classed as special category under article 9 of the UK GDPR (i.e. data relating to an individual’s health, religious or philosophical beliefs, political opinions, racial or ethnic origin etc) does not have an identical equivalent under US law. Sharing such sensitive information under the data bridge may still therefore warrant extra consideration. The ICO recommends that special category personal data be clearly identified and labelled as such before sharing. The same can be said for HR data collected in an employment relationship, the sharing of which requires an organisation to check that the certification has specifically included HR data.
While the UK/US data bridge is to be welcomed, organisations should be mindful of the caveats set out above.
The ICO has made some comments on the data bridge, including concerns about special category data and lack of equivalent protection as contained in Article 22 UK GDPR on automated data processing and Article 17 on the right of erasure. At the same time, several other parties have indicated their intention to challenge the framework at an EU level. We recommend keeping an eye out for future developments.
For further information on how we can assist your organisation with international data transfers, please get in touch with Douglas McLachlan, Lorraine Currie or your usual Anderson Strathern contact.