A View from the Bridge – The new UK-US “data bridge” and what this means for exporting data to the US.
Earlier this year, Mark Zuckerberg’s Meta was fined £1.2bn by the Data Protection Commission for breaching the EU’s General Data Protection Regulation (EU GDPR). The fine related to the export of EU customer data to the US and serves as a timely reminder of jeopardy that has existed in transferring data to the US since the inception of the EU GDPR.
Following Brexit, the UK retained the GDPR (UK GDPR) meaning it faces the same peril. However, might the UK-US data-bridge, introduced on 12 October 2023, offer a solution for UK data exporters?
The European background
As a general rule under the EU GDPR, the transfer of personal data from member states to a third country is prohibited. There are various “adequate safeguards” that can be put in place to bypass this restriction but the implementation of these can be costly and time consuming. To circumvent these onerous safeguards, the European Commission can make what is known as an adequacy decision which provides for the free transfer of data to an approved third country. The European Commission will make an adequacy decision where it is satisfied that a third country’s data protection laws are suitably similar to those of the EU GDPR, such that the protection afforded to EU citizens would not be undermined by data exports to that country.
On 10 July 2023, the European Commission made an adequacy decision in relation to US data transfers. Specifically, they approved what is known as the EU-US Data Privacy Framework (DPF), an opt-in certification scheme for US based entities which sets out enforceable data handling principles and requirements which must be complied with. It means that EU based organisations are now free to export data to any US entities who have opted-in to the DPF without the need for further safeguards.
The UK-US Data Bridge
Given the large similarities between the EU GDPR and the UK GDPR, the adequacy decision of the European Commission was always likely to trigger a similar response in the UK. Indeed, whilst the UK Government may prefer different terminology, the new UK-US data bridge has the effect of an adequacy decision. The bridge acts as an extension to the European DPF (UK Extension), whereby US entities can elect to also receive data from the UK in compliance with principles of the DPF. This means, like their EU counterparts, that UK entities will now be able to freely transfer data to certified US organisations.
A word of warning
Whilst this may appear to herald a new dawn of seamless data transfer to the US, a look back to the recent past gives rise to concerns about the longevity of the framework. There have been two previous manifestations of the DPF, the “Safe Harbor” and the “Privacy Shield”, both of which were successfully challenged in the European Court of Justice (CJEU) by privacy campaigner, Max Schrems. In both instances the adequacy decisions were invalidated as it was found that schemes were too inconsistent with the EU GDPR. Are the DPF and the UK Extension destined for the same fate?
Of particular concern in “Schrems I” and “Schrems II” were US law enforcement authorities’ remaining ability to access the data and the lack of a means of redress against US entities who misused data. The DPF has tried to resolve these issues, requiring the US to pass Executive Order 14086 which allows EU and UK citizens a redress mechanism where their data is unlawfully accessed by US authorities. Despite this, problems remain, with the ICO’s recent independent review of the UK Extension finding the following inconsistencies with the UK GDPR:
- The UK Extension provides citizens with less control over their data. Specifically, it contains no right to be forgotten (Article 7); no right to withdraw consent (Article 17) and no right to have an automated decision reviewed by a human (Article 22);
- The definition of “sensitive information” is much less specific in the UK Extension meaning EU and UK entities will have to specify when information is sensitive; and
- It is not clear that the UK Extension provides protection for data relating to “spent” criminal convictions.
With these inconsistencies readily apparent, “Schrems III” in the CJEU seems inevitable. Only time will tell whether Mr Schrems will be able to score a hat-trick of invalidations or whether the CJEU will decide the DPF is sufficiently aligned with the EU GDPR. In the meantime, we encourage our clients to carefully watch this space whilst enjoying their newly afforded data freedoms.
Disclaimer: General Information Provided Only
Please note that the contents of this article are intended solely for general information purposes and should not be considered as legal advice. We cannot be held responsible for any loss resulting from actions or inactions taken based on this article.
Request a call back
We’ll arrange a no-obligation call back at a time to suit you.