Dawn of a new data bridge?

Marking a milestone for the EU-US Data Privacy Framework (the “EU DPF”), an investiture ceremony was held on 14 November 2023, announcing the first panel of judges to the Data Protection Review Court (“DPRC”) in the United States ("US”).

The DPRC was created through an Executive Order (“Enhancing Safeguards for United States Signals Intelligence Activities”) signed by President Biden in October 2022, which provides a new redress process open to individuals of qualifying states (including the EU and UK), if they believe their personal data was collected by the US government in the conduct of signal intelligence activities, in a manner that contravened applicable US law (which now incorporates, the EU-US Data Privacy Framework and UK-US Data Bridge Extension).

The Attorney General commented that this “Executive Order and the new Justice Department regulations are a critical part of the EU-U.S. Data Privacy Framework and the UK-U.S. Data Bridge Extension. These arrangements reflect the strength of U.S. partnerships with the European Union and the United Kingdom and the shared commitment to the rule of law and respect for the value of individual privacy.”

The creation of the DPRC is a move that indicates the US government must take into consideration privacy and civil liberties of all persons regardless of nationality or residence. Against this backdrop, we wanted to examine the data privacy regimes between the EU, UK and the US more generally.

What is the EU-US Data Privacy Framework?

The EU DPF has been borne out of the European Commission confirming that it had adopted its Adequacy Decision for a new EU-US Data Privacy Framework (the “Decision”) on 10 July 2023. The Decision follows the Schrems II judgment in 2020, after which the EU and US entered into discussions regarding how to create a new EU-US Data Privacy Framework that would meet the requirements as set by the Court of Justice of the European Union following the invalidity of the previous Privacy Shield Scheme and Safe Harbor scheme.

Under the new EU DPF, the US provides an adequate level of protection, comparable to that which is ensured within the EU for personal data transferred from the EU to the US. This will now enable the safe flow of data from the EU to the US for those companies participating in the Framework, and a redress mechanism for data subjects, without requiring additional data protection safeguards such as standard contractual clauses or binding corporate rules.

US companies will have to join the EU DPF on a certification basis. However, some sectors are currently outside of the remit of the EU DPF (e.g. banking, insurance, and telecommunication), as they are not under the jurisdiction of the US Federal Trade Commission and/or Department of Transportation, who oversee the Framework.

UK Extension of the EU DPF

On 21 September 2023, the UK Government published The Data Protection (Adequacy) (United States of America) Regulations 2023, which entered into force on 12 October 2023. This regulation forms the UK-US data bridge, which will act as an extension to the EU DPF (“UK-US Data Bridge”). In an explainer published by the Government, the UK Secretary of State for Science, Innovation, and Technology “has determined that the UK Extension to the EU-US Data Privacy Framework does not undermine the level of data protection for UK data subjects when their data is transferred to the US. This decision was based on their determination that the framework maintains high standards of privacy for UK personal data.”

In practical terms, a data transfer from the EU/UK to a US organisation that (i) is listed on the EU DPF, and (ii) participates in the UK extension to the EU DPF (i.e. the UK-US Data Bridge), does not require a transfer risk assessment, additional safeguards or standard contractual clauses.

Potential Issues of the UK-US Data Bridge

The UK-US Data Bridge streamlines the transfer of data from the UK to the US. However, the ICO has outlined concerns, in particular where it considers that the UK-US Data Bridge does not contain substantially similar rights to the UK GDPR. By way of example:

• The definition of ‘sensitive information’ under the UK-US Data Bridge does not specify all special categories of personal data outlined under Article 9 of the UK GDPR. Instead, the framework has a broad ‘umbrella’ concept providing that sensitive information is “any other information received from a third party that is identified and treated by that party as sensitive.” UK businesses will have to clearly label certain types of data (e.g. data categories listed under Article 9 of the UK GDPR) as ‘sensitive’ when transferring to a US organisation certified under the UK Extension to ensure adequate protection.
• The UK-US Data Bridge also does not contain a substantially similar right to the UK GDPR’s right to be forgotten or unconditional right to withdraw consent. UK data subjects might therefore not have the same level of control over their data as they do under UK GDPR.

The fundamental point of the data bridge is to ensure the level of protection people in the UK enjoy under the UK GDPR is not undermined when their data is transferred to the US. The data bridge will not remove the obligations of UK companies under UK data protection law to ensure that data is properly protected, and the rights of data subjects upheld. In recognition of the potential shortfalls of the data bridge as outlined above, UK companies will need to carefully balance and address these risks when they make decisions about transferring data to other organisations.

Transfer risk assessments (TRA)

For US organisations that do not fall within the remit of the EU DPF and/or are not certified, a transfer mechanism or TRA is still required when personal data is transferred to these entities. At a recent conference, representatives of the ICO spoke about the UK-US Data Bridge and, in particular, how this will impact on TRAs in relation to data transfers to non-EU DPF certified US entities. The ICO will be publishing written guidance on this point, but in the meantime gave some very helpful insights.

• In the lead up to the UK-US Data Bridge, the UK government Department for Science, Innovation and Technology (DSIT) carried out a detailed assessment, concluding that the “provisions of the UK Extension and other relevant US laws and practices provide an adequate level of protection for UK personal data, and do not undermine the level of protection that UK data subjects enjoy under the UK GDRPR, when that data is transferred to certified US organisations” (the “DSIT Analysis”). The ICOs considers it is reasonable and proportionate for organisations to rely on the DSIT analysis to significantly shorten their TRAs when transferring data to the US – including for the transfer of high harm risk data.
• However, it is important to continuously keep this under review, as the DSIT Analysis may change and may be subject to a legal challenge.

£11 million fine

The pertinence of knowing where your organisation’s data is being transferred and how it will be processed when transferred to the US has been highlighted in the recent fine levied against Equifax by the FCA in the UK. The FCA fined Equifax Ltd over £11 million for failing to manage and monitor the security of UK consumer data it had outsourced to its parent company based in the US. The breach allowed hackers the personal data of millions of people and exposed UK consumers to the risk of financial crime.

Conclusions

Further developments to the formulation of the DPRC signals the US’s commitment and cooperation in protecting the personal data of EU and UK data subjects pursuant to EU DPF and the UK Extension.

From the perspective of UK and US companies looking to transfer (or receive the transfer of) data, the data bridge is welcome news. However, it is important to highlight that the data bridge is not a free pass to send data to the US and give it no further thought.

Organisations should proceed with caution ensuring that the data bridge does indeed apply to their specific transfers. UK organisations should also ensure that data transfers continue to be adequately protected, in particular, when there is gap in protection within the UK-US Data Bridge (such as the gap of protection regarding special category personal data).

If the US recipient does not participate in the EU DPF and/or the UK Data Bridge, the EU/UK company sending personal data to them must use another existing appropriate safeguard to send personal data.