What is it?
The UK-US Data Bridge is a deal agreed between the UK and US which will make it easier for UK organisations to transfer personal data lawfully to the US, for example when:
- using SaaS/PaaS/IaaS services provided by US-based companies
- sharing HR and marketing information with US-based group companies
- undertaking research collaborations with US-based organisations
Officially called the “UK Extension to the EU-US Data Privacy Framework” (UK Extension), the UK-US Data Bridge isn’t a bespoke UK-US arrangement but a bolt-on to the EU-US Data Privacy Framework (DPF) launched on 10 July this year, which allows participating US companies to sign up to be able to receive UK personal data through the DPF.
The UK-US Data Bridge provides the same benefits to UK organisations as EU organisations gained from the DPF, as described in my colleague Louisa Taylor’s article EU to US Data Transfers – an easier path to compliance.
The Department for Science, Innovation and Technology (DSIT) explains that “The term ‘data bridge” is our preferred public terminology for ‘adequacy’, and describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards. It symbolises the connection between destinations that is established by these decisions and encapsulates the UK’s collaborative approach with our international partners.”
The UK-US Data Bridge provides an alternative ‘transfer mechanism’ to the UK Addendum + EU Standard Contractual Clauses or UK International Data Transfer Agreement and the accompanying requirement to carry out a Data Transfer Impact Assessment, hence being an easier way of transferring personal data to US organisations.
However, UK organisations hoping to rely on the UK-US Data Bridge will still have to do some work, such as making changes to their privacy notices and contracts with customers and the US organisations to whom they transfer data.
So, can we send personal data to any company in the US now?
No. The UK-US Data Bridge isn’t a panacea – there are gaps in coverage which UK organisations need to be aware of:
- It doesn’t cover all US companies. Only US organisations subject to the jurisdiction of the US Federal Trade Commission or Department of Transport are currently eligible to participate in the DPF, so organisations that are not subject to the jurisdiction of either, such as banking, insurance and telecommunications companies, aren’t able to receive personal data under the DPF or UK Extension.
- It only applies to eligible US companies that have chosen to sign up. Only US organisations that are participants in the DPF and have signed up to the UK Extension can receive personal data from the UK under the UK-US Data Bridge.
It takes a little effort to find out if you can send personal data to a US organisation under the UK-US Data Bridge: the first step is to search for the organisation in the DPF List, then (if the organisation is on the list) you can follow the guidance in the UK-US data bridge: factsheet for UK organisations on how to check whether you can rely on the UK-US Data Bridge to send personal data to that organisation (see ‘Specific businesses certified to the UK Extension’).
Is it any good?
The UK Information Commissioner’s Office (ICO) seems to have given the UK-US Data Bridge a luke-warm reception, with some substantial reservations about the adequacy of the arrangements.
The ICO’s Opinion on the UK Extension says “while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied.” These areas of concern are:
- The definition of ‘sensitive information’ in the DPF principles doesn’t specify all the categories listed in Article 9 of the UK GDPR, instead using a catch-all provision specifying, “…an organization should treat as sensitive any personal information received from a third party where the third party identifies and treats it as sensitive”. This means UK organisations will have to identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US participant organisation so it will be treated as sensitive information. However, there is currently no requirement for UK organisations to identify information as sensitive, creating a risk that the protections for sensitive data may not be applied in practice.
- There may be some risks for criminal offence data, even where it is identified as sensitive, because, as far as the ICO is aware, there are no equivalent protections to those in the UK’s Rehabilitation of Offenders Act 1974 that limit use of criminal convictions data once convictions have become ‘spent’, including the ability to request that this data is deleted. It’s not clear how these protections would apply once such data has been transferred to the US.
- The UK Extension doesn’t contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing or provide a right to obtain a review of an automated decision by a human.
- The UK Extension doesn’t contain substantially similar rights to the UK GDPR’s right to be forgotten and unconditional right to withdraw consent. It gives individuals some control regarding their personal data, but not as extensive as the control they have when their data is in the UK.
The ICO recommends that the Secretary of State monitors these areas closely to ensure UK data subjects are afforded equivalent protection in practice and their rights are not undermined, as well as monitoring the implementation of the UK Extension generally to ensure it operates as intended.
The DSIT has partly addressed the concerns relating to sensitive and criminal offence data in its UK-US data bridge: factsheet for UK organisations with some guidance on sending such information (see ‘Should special category or sensitive data be shared under the UK-US data bridge?’ and ‘Should criminal offence data be shared under the UK-US data bridge?’). However, the guidance doesn’t solve those problems or address the ICO’s spent convictions point, and the other two concerns aren’t mentioned in the factsheet or explainer.
Regarding these issues, the DSIT reports in its Analysis of the UK Extension that:
- “…DSIT considers that the DPF provides comparable protections and control over sensitive personal data for UK data subjects as would be received within the UK.” (p16)
- “…DSIT does not think that the extra protections afforded to criminal offence data under the UK GDPR are likely to be undermined and such data will likely benefit from comparable protections under the DPF. However, DSIT will continue to monitor the sharing and use of this type of data and address challenges where there may be issues arising.” (p19)
- “Though there is no explicit right or route for individuals to exercise deletion of their personal data under the DPF, many US state laws, also include a right for individuals to have their personal data deleted, subject to certain exemptions. Though these exemptions are broader than those under the UK GDPR, they are more comprehensive than under the DPF and may provide a limited mitigation for some circumstances that could arise for UK individuals.” (p35)
- “…though the DPF does not specifically address automated processing, in our opinion there is a low chance of a material impact on UK data subjects and, in addition, where issues do arise, there is access to multiple redress mechanisms under the DPF.” (p35)
The chosen wording doesn’t fill readers with confidence and perhaps implies a somewhat dubious start to the UK-US Data Bridge.
Neither the ICO nor DSIT seem concerned by two points relating to the DPF Principle for Onward Transfers that I find deficient and baffling:
- US DPF participant organisations can transfer personal data to other organisations who are neither participants in the DPF nor parties to appropriate Standard Contractual Clauses or Binding Corporate Rules. So whereas a UK organisation would be breaking the law if it sent personal data to a US organisation that isn’t a DPF participant signed up to the UK Extension or party to appropriate Standard Contractual Clauses or Binding Corporate Rules (let’s call it a ‘forbidden party’), it could lawfully send data to a UK-US Data Bridge participant who then immediately transfers it on to a forbidden party, e.g. as a result of a sub-processing chain or intra-group sharing. This seems like an obvious and unnecessary loophole that undermines the protection of UK personal data, and means the DPF onward transfer principle is much weaker than the equivalent provision in the Standard Contractual Clauses (clauses 8.7 and 8.8).
- When transferring personal data to a controller, US DPF participants must enter a contract with the controller that ensures data will only be processed “for limited and specified purposes consistent with the consent provided by the individual”. This reference to consent makes no sense where the relevant data wasn’t processed by the UK organisation on the basis of consent: if e.g. legitimate interests, legal obligation or vital interests was the legal basis, there is no consent, so how can these contracts specify what purposes are consistent with non-existent consented-to purposes? Maybe this goes some way to explain – or rather reflects – the common misunderstanding by US organisations regarding the need for consent to process personal data. The wording was carried over from Privacy Shield, and it’s a shame the EU Commission didn’t take the opportunity to amend this to better reflect the GDPR purpose limitation principle and data sharing guidance.
Will it last?
The big question on the lips of all data protection nerds is: how long will the DPF last?
NOYB, the privacy NGO that brought down DPF predecessors Safe Harbor and Privacy Shield, is already planning a challenge to DPF in the CJEU, predicting that a challenge may reach the CJEU by the end of 2023 or beginning of 2024.
According to NOYB, “Overall the new “Trans-Atlantic Data Privacy Framework” is a copy of Privacy Shield (from 2016), which in turn was a copy of “Safe Harbor” (from 2000). Given that this approach has failed twice before, there was no legal basis for the change of course – the only logic of having a deal was political.”
See NOYB’s article European Commission gives EU-US data transfers third round at CJEU for further detail on the history of EU-US data transfer arrangements and the reasons NOYB believes DPF – like its failed predecessors – is inadequate.
With the notable gaps in coverage, the failure to provide substantially similar protections to the UK GDPR in several areas and the threat of an imminent CJEU legal challenge, the UK-US Data Bridge is looking a bit rickety before it’s even launched. However, US organisations, particularly larger ones who participated in Privacy Shield and/or Safe Harbor and can resurrect and re-task their Privacy Shield materials, will probably still consider it worth participating while it lasts.
How can we help?
Making compliant international data transfers can be confusing and challenging. Getting it wrong risks exposing your business to claims from customers and affected individuals and enforcement action by data protection regulators.
At ClaydenLaw we’ve helped many clients get their data transfer compliance picture correct. If you would like us to help you as well, please contact us here for a complementary 30 minute International Data Transfer Consultation.
For more information on the relevant areas mentioned in this case study, please click below: