Privacy Shield, the adequacy decision under EU GDPR for transfers to the USA, fell on 16 July 2020. On 10 July 2023, three years later, the EC announced the EU-US Data Privacy Framework (DPF). Now, as from 12 October 2023, we have an adequacy decision under UK GDPR for transfers to the USA!
This is awesome. We’ll give you the practical explainer and takeaways with our perspective of operationalising Privacy. As always, do speak with your usual legal adviser for legal advice.
For UK Gov: ‘The term ‘data bridge’ is our preferred public terminology for ‘adequacy’‘ but take note, ‘Data bridges are not reciprocal, therefore they do not allow the free flow of data from other countries to the UK‘.
So it’s a One-Way Data Bridge. Not a snappy title.
We’ll just use ‘adequacy’ where possible and ‘Data Bridge’ to refer to this particular UK adequacy decision in favour of the US.
In our view, ‘extension’ is a bit of an unfortunate term, because the Data Bridge is legally a separate animal to the DPF. And, looked at one way, the Data Bridge clearly sits on top of the EU-US DPF.
The implementing regulations define the ‘UK Extension to the EU-US Data Privacy Framework‘ as:
the extension to the EU-US Data Privacy Framework which the United States Department of Commerce administers in relation to transfers of personal data from the United Kingdom
What this means in practice is that your US counterpart, the entity you’re transferring personal data to from the UK, must have self-certified to the EU-US DPF as well as the Extension, because the Extension makes use of all the Principles from the DPF.
What the Data Bridge does do is adopt the EU-US DPF as a starting point and then, rather like the UK GDPR, basically just crosses out the EU and the EDPB and writes in the UK and the ICO.
A US entity signing up to the UK-US Data Bridge has to have also signed up to the EU-US DPF, and comply with the DPF Principles tailored to refer to the UK and ICO.
In that way, we suppose it extends the EU-US DPF, which only applies to transfers of personal data from the EEA to the USA, to make it apply to transfers from the UK to the USA. We think it’s more helpful to think of the Data Bridge like the UK GDPR, which is strikingly similar to the EU GDPR but is clearly a separate beast.
So the Data Bridge is separate to but the same as the DPF, just with UK for EU.
Well, if you’re not in the UK, it means very little because you can’t use the Data Bridge. If you’re in the EEA doing due diligence on onward transfers from the UK to the US, this could make your job easier as you can check the List for the US entities in the supply chain.
If you’re in the UK, it means a huge amount. The key takeaway is that:
after a 3-year hiatus, UK entities now have an adequacy decision to validly transfer personal data to US counterparts who are in the DPF and Data Bridge
To repeat the key takeaway: if your US counterparty is signed up to both the EU-US DPF and the UK-US Data Bridge, then UK entities can now transfer personal data to that US counterparty relying on the Data Bridge with no need to look at SCCs and a TRA.
While the above is technically true, most practitioners have already implemented Data Processing Agreements (DPAs) with SCCs in place with their US counterparties because of that 3-year gap after Privacy Shield fell, no-one we know is jettisoning that structure.
For example, as UK Gov explains on redress:
‘Supporting this decision [to issue the adequacy regulations for the Data Bridge], the US Attorney General, on the 18 September, designated the UK as a ‘qualifying state’ under Executive Order 14086. This will allow all UK individuals whose personal data has been transferred to the US under any transfer mechanisms (i.e. including those set out under UK GDPR Articles 46 and 49) access to the newly established redress mechanism in the event that they believe that their personal data has been accessed unlawfully by US authorities for national security purposes.’
Importantly, the measures put in place by the Executive Order and the designation of the UK as a qualifying state apply to any transfer, not just those under the Data Bridge.
The UK ICO’s opinion on the Data Bridge, while supportive, states that: ‘there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied.’
Those 4 areas are:
On that first point, the ICO notes that, when using the Data Bridge, UK organisations ‘need to identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US certified organisation so it will be treated as sensitive information under the UK Extension’.
There’s already been an attempt to take down the EU-US DPF, by a French MEP, which failed on … wait for it … 12 October 2023 the very day the Data Bridge came into force. That failed for rather technical reasons about the impact on the individual, not the correctness of the DPF adequacy decision. But it shows there are legal hoops to go through before a challenge can be successful.
Someone very adept at hoop-jumping is Max Schrems and NOYB has already said it will challenge the DPF. But what will it mean for the Data Bridge if the DPF fails in a Schrems III?
There’s good news for UK businesses on that.
Just as UK GDPR is a UK law separate to the EU law that is EU GDPR, so the Data Bridge is a separate legal structure to the DPF.
On an IAPP webinar 12 October 2023, senior members of the UK and US governments and civil services confirmed that the UK-US Data Bridge is an independent decision that would continue even if there were to be a Schrems III taking down the EU-US DPF under EU GDPR, and the US would continue to operate the DPF even after a potential Schrems III.
It may have photocopied the entire DPF, crossed out EU and scribbled in UK, but it is a separate legal structure. For example, a CJEU decision against the EU-US DPF, or even a very unlikely EC determination that its original decision was flawed, will ‘only’ affect transfers from the EEA to the USA.
So a Schrems III at the CJEU, in and of itself, will not impact the Data Bridge. In that sense, the Data Bridge does not sit on top of the DPF and that’s why we think it’s better to think of the Data Bridge like the UK GDPR.
OK, we know it is an island but we mean it can’t exist isolated from the rest of the world, hence the impetus to protect the $7 trillion annual UK-US trade with the Data Bridge.
What we mean is that, if the DPF falls, there will be huge political pressure in the EEA to look at the adequacy decision for the UK under EU GDPR if we’re still happily transferring data to the USA.
Don’t discount the likelihood that the DPF can withstand all attacks. The EC is confident that it has addressed the specific issues in Schrems II. Sure an EO can be overturned but as we’re seeing in the UK, laws passed by Parliament can be too, and for no good reason (EU Retained Law Bill and DPDI2 anyone?).
How this will play out in practice over the next few years is anyone’s guess, but the DPF and the Data Bridge are here now.
So what are your key actions?
If you’re a UK data exporter under UK GDPR:
Take a look at Keepabl’s award-winning Privacy Management Software which surfaces transfers from all your relationships in your Data Map so you can easily put in place appropriate safeguards.
Breach of the Principles can lead to the highest fine under GDPR, namely the higher of 4% of global turnover or €20m under EU GDPR, £17.5m under UK GDPR. That’s…