UK/US Data Bridge: What UK Organisations Need to Know

The UK and US have long been likeminded allies, promoting cross-border business relationships. With that in mind, it is surprising that the US and UK have (until recently) had an inharmonious relationship when it comes to data sharing. This is primarily due to an EU decision in Schrems II that found that the original ‘privacy shield’ designed to support data sharing between the EU (and UK) and the US was inadequate. In an effort to bolster this relationship, the UK has now become party to a new EU-US data bridge.

What does this mean for UK organisations?

Background to International Data Transfers

Transferring personal data to countries outside of the UK has long required careful consideration to ensure compliance with data protection law.

To ensure individuals are afforded the same level of protection as they would under UK law, when their data is transferred to an organisation in another country, under UK GDPR, personal data can be freely transferred to a country that is covered by an ‘adequacy decision’.

In this case the UK has decided to piggy-back on the European Union’s adequacy decision that covers the EU-US privacy framework for international transfers of data between the US and the EU.  The resulting UK adequacy decision is an extension of that framework.

Strictly speaking, the EU Commission issues adequacy decisions and the UK passes ‘adequacy regulations’.  In an attempt to make data protection terminology just a little bit more accessible, the UK has recently taken to calling these measures a data bridge.

Having a data bridge with a country means that the UK has deemed that country to provide an adequate level of data protection. The benefit of having a data bridge in place is that it allows a more straightforward process to transfer personal data to that country or territory.

A data bridge already exists for transfers to a number of territories, including the EEA, Switzerland, New Zealand and Argentina as well as Gibraltar, Jersey, Guernsey and the Isle of Man. Partial data bridges also exist for Canada and Japan, offering more straightforward data sharing in limited circumstances.

To ensure that both the data controller and receiver are legally bound to adhere to data protection principles, data transfers to countries without a data bridge from the UK will require appropriate safeguards before personal data can be transferred cross-border.

These safeguards are listed in Article 46 of the UK GDPR and include:

1. Legally Binding Instruments: the organisation you are sharing with is covered by a legal instrument which provides safeguards for individuals, including enforceable rights and remedies for individuals whose data is shared.
2. UK Binding Corporate Rules (BCRs): transfers within an international organisation or ‘group’ where both sides have signed up to BCRs which have been approved by the Information Commissioner’s Office (ICO). BCRs tend to be very expensive to obtain and often only very large multinationals are prepared to incur the time and expense in setting them up and obtaining ICO approval.
3. Standard Data Protection Clauses: the controller and receiver have entered a contract incorporating UK compatible data protection clauses, also known as the ICO’s form of International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses with a UK Addendum.
4. Code of Conduct: the receiver has signed up to a code of conduct approved by the ICO. (None currently exist).
5. Certification Scheme: the receiver has a data protection certification under a scheme approved by the ICO. (None currently exist).
6. Administrative Arrangements with Public Bodies: the administrative arrangements in place contain data protection principles and have been authorised by the ICO.

Relying on a mechanism listed above also requires the organisation to carry out a transfer risk assessment or TRA.  This isn’t always a straightforward exercise.

US Data Sharing

The UK extension to the EU-US Data Privacy Framework (DPF) allows organisations to become certified for data sharing purposes. Certification under the DPF means that sharing data with these organisations no longer requires the appropriate safeguards noted above. The removal of the requirement for a TRA for these UK/US data transfers will also be welcomed, as this is widely hailed as a complex and cumbersome exercise.

Caveats

Like those in place for Japan and Canada, the UK/US data bridge is a partial bridge. Only some US organisations will have signed up to the DPF. For organisations which are not certified, the rules remain unchanged.

The DPF is an opt-in system and organisations must sign up through an online self-certification process. Before sharing information with a US organisation under the bridge, you must confirm that they are certified as a participant to the DPF. This can be done by searching the DPF list: Home (dataprivacyframework.gov).

Organisations in the banking, telecoms and insurance sector will be automatically excluded as they do not fall under the jurisdiction of the regulatory bodies who have facilitated the data bridge. Furthermore, any organisations previously registered under the EU/US bridge will need to amend their certification to include the UK following the extension.

If you are not satisfied that the organisation meets the DPF requirements, transferring data should be done by reverting to the pre-existing appropriate safeguards and risk assessments mentioned above.

Importantly, certification does not mean there is a catch-all free pass for data sharing. Information classed as special category under article 9 of the UK GDPR (i.e. data relating to an individual’s health, religious or philosophical beliefs, political opinions, racial or ethnic origin etc) does not have an identical equivalent under US law. Sharing such sensitive information under the data bridge may still therefore warrant extra consideration. The ICO recommends that special category personal data be clearly identified and labelled as such before sharing. The same can be said for HR data collected in an employment relationship, the sharing of which requires an organisation to check that the certification has specifically included HR data.

An area under review?

 While the UK/US data bridge is to be welcomed, organisations should be mindful of the caveats set out above.

The ICO has made some comments on the data bridge, including concerns about special category data and lack of equivalent protection as contained in Article 22 UK GDPR on automated data processing and Article 17 on the right of erasure. At the same time, several other parties have indicated their intention to challenge the framework at an EU level. We recommend keeping an eye out for future developments.

For further information on how we can assist your organisation with international data transfers, please get in touch with Douglas McLachlan, Lorraine Currie or your usual Anderson Strathern contact.