A new data bridge, which is an extension of the EU-US Data Privacy Framework (“the DPF”), will enable UK businesses to transfer personal data to certified US organisations without the requirement of having the usual safeguards in place or performing a transfer risk assessment. This data bridge came into force on 12 October 2023.
On 10 July 2023, the European Commission adopted an adequacy decision in respect of the DPF where US businesses could certify themselves with the DPF which would involve such businesses having to comply with similar provisions as set out in the GDPR. Provided such measures are in place where the US organisation is then publicly placed onto the Data Privacy Framework List (“DPF List”), this would then enable transfers of personal data to be freely made between the EU and US without the need for businesses to adopt usual safeguards and undertaking a transfer risk assessment.
The UK Government then later published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework. These regulations state that the US is an “adequate country” for data transfer purposes from the UK, under the UK GDPR and Data Protection Act 2018.
What is the significance of this data bridge?
This data bridge should result in personal data transfers between the UK and the US being less time-consuming and burdensome for businesses, however where this has only recently been implemented, some caution should be taken if businesses seek to rely on this data bridge. For example, there has been discussion of challenge which could affect the validity of the data bridge. It has only recently been implemented so some time will be required to test its validity. It may be best for organisations to consider some “back up” processes, for example, having the Standard Contractual Clauses or International Data Transfer Agreement in place, in case the DPF is removed.
Fact sheet issued by the UK Government
A fact sheet has been issued by the Department for Science, Innovation and Technology (“DSIT”) which includes the following key points:
- Only US organisations subject to the jurisdiction of the US Federal Trade Commission (“FTC”) or US Department of Transportation (“DoT”) are currently eligible to participate in the DPF programme. Those organisations not subject to the jurisdiction of either the FTC or DoT – for example, banking, insurance, and telecommunications companies – are unable to participate in the DPF programme at this time.
- For special category and sensitive personal data, which is not covered by the DPF –genetic data; biometric data for the purpose of uniquely identifying a natural person; and data concerning sexual orientation – this must be appropriately identified as sensitive to US organisations if being transferred via the data bridge.
- Where criminal offence data is going to be shared under the UK-US data bridge, as part of HR data, US organisations are required to indicate that they are seeking to receive such data under the DPF.
- Before a UK organisation sends personal data in this way to the US, it must confirm that the recipient is certified with the DPF (and when transferring HR data specifically, US organisations must have highlighted this on their certification).
If organisations wish to rely on this data bridge, we would recommend that the following steps are taken:
- Ensure that the US organisation that you wish to send personal data to via this data bridge is an active DPF participant where a public DPF list is accessible on the data privacy framework website.
- Ensure that this US organisation is also signed up to the UK Extension to the EU-US Data Privacy Framework program.
- Keep an eye out for any challenges to the DPF as UK organisations may also want to have a back-up process for transferring personal data in case the DPF is considered to be inadequate. For example, Schrems’ privacy organisation, NOYB, has indicated that it may challenge the DPF.
If you any advice in relation to international data transfers, please do not hesitate to contact a member of the data protection team.