A (data) bridge over (not so?) troubled waters – Part II


22nd September 2023

In a welcomed and long awaited announcement, the UK Government has published regulations which will help facilitate transfers of personal data from the UK to US companies which are certified under the Data Privacy Framework without any additional restrictions from 12th October 2023.

Background

On the 2nd August 2023 we wrote about the EU-US Data Privacy Framework (the DPF) which allowed for the transfer of EU personal data to US companies which were certified under the DPF without any additional restrictions. However, as the UK no longer form part of the EU, UK organisations could not directly benefit from that DPF and were left to seek other, resource consuming, options for transfers of personal data from the UK to the US.

These included safeguards such as entering into standard contractual clauses in the form of the International Data Transfer Agreement or Addendum which also required undertaking a transfer risk assessment – such steps were at best time consuming and resource intensive for those organisations and at worst would put off their US counterparties from working with UK companies due to the added requirements.

The UK extension

However, having reached a commitment to establish a UK extension to the DPF, the UK Government’s Department for Science Innovation and Technology has now laid The Data Protection (Adequacy) (United States of America) Regulations 2023 (the Regulations) before Parliament which will now permit transfer of personal data from the UK to those US organisations US organisations who are included as UK certified on the United States’ Department of Commerce Data Privacy Framework List (which can be found here). The Regulations will come in to force on the 12th October 2023.

This is a welcomed and long awaited announcement for organisations in the UK who use contractors and processors in the US. This will allow such organisations to share personal data with certified US organisations without having to have additional safeguards in place and will simplify and quicken transfers from the UK to eligible US organisations and reduce costs.

Choppy waters?

However, this announcement does come with some health warnings.

Transfers are only permitted to those organisations which appear as UK certified on the DPF List. Organisations may self-certify that they satisfy the DPF requirements. However, as DSIT’s factsheet points out, only US organisations subject to the jurisdiction of the US Federal Trade Commission or the US Department of Trade are currently eligible to participate in the DPF and those US organisations not subject to those organisations’ jurisdiction of either (for example, banking, insurance, and telecommunications companies) are unable to participate in the DPF program at this time.

Additionally, US organisations who wish to be certified under the DPF must agree to comply with the DPF Principles including making a public commitment to do so via a published privacy notice. The UK extension to the DPF requires US organisations who wish to be certified in the UK to also comply with additional UK-specific requirements – therefore there could be US organisations who have certified for EU transfers but not for UK transfers. As such, UK organisations will not be able to freely transfer personal to all US organisations but may only rely on the Regulations to transfer personal data to a relatively limited number of US organisations.

It is also important to note that this is the third attempt by the EU (and by extension the UK) in relation to an adequacy decision allowing transfers to the US. As set out in our previous post, the European Court of Justice has already struck down the Safe Harbor and EU-US Privacy Shield safeguards as a result of challenges from Max Schrems. Mr Schrems has already indicated that he will seek a hattrick with an intention to challenge the DPF and the Member of the French Parliament Philippe Latombe has also lodged a request to annul the DPF, it is likely that the DPF will face choppy waters.

Should a challenge to the EU’s DPF succeed and the EU DPF be annulled, because of the structure of the drafting of Regulations ensuring that the Regulations are not interdependent to the EU’s framework, such Regulations would not automatically fall away but it would likely give rise to political questions where the UK would be continuing to deem the US adequate in circumstances where the EU’s judiciary had ruled that they were not. Watch this space.

It should be noted that notwithstanding the establishment of this data bridge, UK organisations will still need to have a lawful basis to transfer the personal data as well document the arrangements that they have in place with the entities in the US with whom they share their personal data (such as a data processing or data sharing agreement). They should also be satisfied that those organisations have appropriate measures in place to keep the personal data safe.

Guidance

The UK Government has published a number of supporting documents:

Should you have any queries regarding data protection, please contact our specialist data protection team here.

Data protection training

Book a place on our BCS accredited training course

Sign up here

Enjoy That? You Might Like These:


articles

16 December -
The UK Government has confirmed its proposals to press ahead with the Private Intermittent Securities and Capital Exchange System (PISCES). In her first Mansion House speech, Rachel Reeves confirmed that... Read More

articles

12 December -
How will competition law be enforced? On 5 December 2024 the UK’s Competition and Markets Authority (CMA) published a speech by Juliette Enser, interim Executive Director for Competition Enforcement, on... Read More

articles

5 December -
On 1 January 2025 key provisions of the UK’s Digital Markets, Competition and Consumers Act 2024 (the Act) will be brought into force, introducing important reforms to UK competition law.... Read More