UK-US Data Bridge extends the EU-US Data Privacy Framework

On 12 October 2023, the UK government published a new regulation governing data transfers between the UK and the US. This regulation is known as the Data Protection (Adequacy) (United States of America) Regulations 2023 (SI 2023/1028).

Background

The General Data Protection Regulations (GDPR) prohibit companies from transferring data outside of the European Economic Area (or, in the case of the UK GDPR, outside of the UK) unless there is an adequacy decision (Article 45 of GDPR) or additional safeguards (Article 46 of GDPR) in place for this transfer. The EU and/or UK makes an adequacy decision when it determines that a country’s data protection laws provide equivalent or better protection to personal data than the GDPR/UK GDPR.

There have been various arrangements dealing with the transfer of personal data between the EU and the US. This was initially dealt with by the International Safe Harbor Privacy Principles (which were overturned by the Schrems I court decision), then the EU-US Privacy Shield from 2016, which were overturned by the Schrems II court decision in 2020.

Since the 2020 decision that the EU-US Privacy Shield did not provide adequate protection for data transfers, there have been no equivalent schemes in place, with businesses having to rely on other safeguards such as the new EU standard contractual clauses, UK international data transfer agreements, data transfer impact assessments, and/or binding corporate rules.

Meta’s Record GDPR Fine

In May 2023, Ireland’s Data Protection Commission (DPC) issued Meta, the owner of Facebook, with a £1bn GDPR fine. This substantial penalty stands as the largest GDPR sanction to date.

In its ruling, the DPC confirmed that Meta had infringed Article 46 of the GDPR, as Meta had been transferring the personal data of its European users to servers in the US without implementing the necessary safeguards to ensure the protection and security of personal information.

Notably, this was despite Meta using additional safeguards as set out in the Schrems II decision, which outlined further requirements for stringent data protection during such international transfers.

At the time of the DPC’s decision, the European Commission and the US had already announced that they had agreed, in principle, on a new framework.

The EU-US Data Privacy Framework and the UK-US Data Bridge

In July 2023, the EU and US agreed the EU-US Data Privacy Framework, which is a partial adequacy decision, allowing data to be transferred only to certain US companies without needing additional safeguards. US businesses must self-certify as participating with the Data Privacy Framework and must be on the Data Privacy Framework register.

From 12 October 2023, the Data Privacy Framework has been extended so that companies on the register can also self-certify as participating in the UK-US Data Bridge. As with the Data Privacy Framework, the Data Bridge acts as a partial adequacy decision by the UK government, allowing transfers of data to those companies participating in the Data Bridge.

Potential Appeal

The new Data Privacy Framework is not without its problems. noyb, an organisation fronted by Max Schrems (from the Schrems II court decision which overturned the Privacy Shield in the first place), has indicated that it intends to appeal against the new Data Privacy Framework, claiming it is simply a copy of the Privacy Shield. The key concerns remain over fears of US law enforcement and surveillance laws.

What does this mean for businesses?

The Framework and Data Bridge is likely a welcome relief for businesses doing frequent business with the US, particularly in light of the Meta decision, as the Data Privacy Framework and the Data Bridge will make compliance with the GDPR and UK GDPR simpler.

However, businesses need to be alert to the fact that US companies have to self-certify in order to participate in the framework and that certification can lapse if not renewed. The risk to businesses here is non-compliance with the GDPR by failing to have additional safeguards in place if the US company is not participating in the framework or has allowed its certification to lapse.

There is also some uncertainty around the appeal. However, the process will likely take some time; if a decision is made against the Data Privacy Framework, there is a risk that businesses relying on the Data Privacy Framework and the Data Bridge would have to update their contracts in order to remain compliant with GDPR and UK GDPR. Even then, as we have seen with the Meta decision, the additional safeguards may not be sufficient.

How can we help?

If you have any questions about the Data Bridge or would like to make sure that you are complying with the UK GDPR when transferring data to the US, please get in touch. I can be contacted on 01206 217352 or via email at chloe.vertigenbirkettlong.co.uk.