UK-US Data Bridge opens to traffic

Privacy Shield, the adequacy decision under EU GDPR for transfers to the USA, fell on 16 July 2020. On 10 July 2023, three years later, the EC announced the EU-US Data Privacy Framework (DPF). Now, as from 12 October 2023, we have an adequacy decision under UK GDPR for transfers to the USA!

This is awesome. We’ll give you the practical explainer and takeaways with our perspective of operationalising Privacy. As always, do speak with your usual legal adviser for legal advice.

A rose by any other name

For UK Gov: ‘The term ‘data bridge’ is our preferred public terminology for ‘adequacy’‘ but take note, ‘Data bridges are not reciprocal, therefore they do not allow the free flow of data from other countries to the UK‘.

So it’s a One-Way Data Bridge. Not a snappy title.

• In practice, it’s the UK Extension to the EU-US Data Privacy Framework (more on that later).
• For purists this is technically an adequacy regulation under section 17A of the UK’s 2018 Data Protection Act for the purposes of Part 2 of the Data Protection Act 2018 and the UK GDPR.
• For shorthand it’s an adequacy decision under UK GDPR (who needs more jargon when we’re all used to that term).

We’ll just use ‘adequacy’ where possible and ‘Data Bridge’ to refer to this particular UK adequacy decision in favour of the US.

What’s with ‘Extension’?

In our view, ‘extension’ is a bit of an unfortunate term, because the Data Bridge is legally a separate animal to the DPF. And, looked at one way, the Data Bridge clearly sits on top of the EU-US DPF.

The implementing regulations define the ‘UK Extension to the EU-US Data Privacy Framework‘ as:

the extension to the EU-US Data Privacy Framework which the United States Department of Commerce administers in relation to transfers of personal data from the United Kingdom

What this means in practice is that your US counterpart, the entity you’re transferring personal data to from the UK, must have self-certified to the EU-US DPF as well as the Extension, because the Extension makes use of all the Principles from the DPF.

The Data Bridge is like UK GDPR

What the Data Bridge does do is adopt the EU-US DPF as a starting point and then, rather like the UK GDPR, basically just crosses out the EU and the EDPB and writes in the UK and the ICO.

A US entity signing up to the UK-US Data Bridge has to have also signed up to the EU-US DPF, and comply with the DPF Principles tailored to refer to the UK and ICO.

In that way, we suppose it extends the EU-US DPF, which only applies to transfers of personal data from the EEA to the USA, to make it apply to transfers from the UK to the USA. We think it’s more helpful to think of the Data Bridge like the UK GDPR, which is strikingly similar to the EU GDPR but is clearly a separate beast.

So the Data Bridge is separate to but the same as the DPF, just with UK for EU.

What it means to you

Well, if you’re not in the UK, it means very little because you can’t use the Data Bridge. If you’re in the EEA doing due diligence on onward transfers from the UK to the US, this could make your job easier as you can check the List for the US entities in the supply chain.

If you’re in the UK, it means a huge amount. The key takeaway is that:

after a 3-year hiatus, UK entities now have an adequacy decision to validly transfer personal data to US counterparts who are in the DPF and Data Bridge

• No need for SCCs.
• No need for TRAs, the transfer risk assessment under UK GDPR that fulfils the role of transfer impact assessments, or TIAs, under EU GDPR.
• No need for BCRs. Sorry … who are we kidding, almost nobody has BCRs 🙂 We included them for completeness.

To repeat the key takeaway: if your US counterparty is signed up to both the EU-US DPF and the UK-US Data Bridge, then UK entities can now transfer personal data to that US counterparty relying on the Data Bridge with no need to look at SCCs and a TRA.

No, what does it mean in practice?

Tough crowd.

Little impact on existing DPAs and SCCs

While the above is technically true, most practitioners have already implemented Data Processing Agreements (DPAs) with SCCs in place with their US counterparties because of that 3-year gap after Privacy Shield fell, no-one we know is jettisoning that structure.

• Instead, we’re hearing that people are keeping that DPA + SCC structure in place and, on its next review (we’re all busy) adding in reference to the Data Bridge. Some are pro-actively amending contracts to refer to the Data Bridge but, let’s face it, in practice, you’re unlikely to have the negotiating power to tell large US suppliers to change their DPA because you want to, you’ll have to wait for them to do it.
• For example, at the time of writing, the published version of both Microsoft’s DPA and Salesforce’s DPA were last updated in January 2023, before the DPF and Data Bridge, and both organistions are signed up to the EU-US DPF, Swiss-US DPF and the UK-US Extension.
• We’re seeing a ‘belt and braces’ approach, with DPAs and SCCs unchanged but with references to the DPF (for EEA exporters) and Data Bridge (for UK exporters) working their way in as a primary mechanism with the SCCs in case the DPF / Data Bridge fails, which many are worried about.

Massive impact on your TRAs

• When you can rely on the Data Bridge, you do not need to do a transfer risk assessment under UK GDPR (TRA).
• When you can’t rely on the Data Bridge, you still need to do a TRA but they are immeasurably easier. You can simply refer to the EC and UK Gov decisions that the US has addressed the issues in Schrems II through the Executive Order and resulting implementation of restrictions on government access for surveillance and the right to redress for EEA and UK data subjects.

For example, as UK Gov explains on redress:

‘Supporting this decision [to issue the adequacy regulations for the Data Bridge], the US Attorney General, on the 18 September, designated the UK as a ‘qualifying state’ under Executive Order 14086. This will allow all UK individuals whose personal data has been transferred to the US under any transfer mechanisms (i.e. including those set out under UK GDPR Articles 46 and 49) access to the newly established redress mechanism in the event that they believe that their personal data has been accessed unlawfully by US authorities for national security purposes.’

Importantly, the measures put in place by the Executive Order and the designation of the UK as a qualifying state apply to any transfer, not just those under the Data Bridge.

Take care identifying the personal data

The UK ICO’s opinion on the Data Bridge, while supportive, states that: ‘there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied.’

Those 4 areas are:

1.  ‘The definition of ‘sensitive information’ under the UK Extension does not specify all the categories listed in Article 9 of the UK GDPR.’
2.  ‘For criminal offence data, there may be some risks even where this is identified as sensitive because, as far as we are aware, there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974.’
3.  ‘The UK Extension does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual. In particular, the UK Extension does not provide for the right to obtain a review of an automated decision by a human.’
4.  ‘The UK Extension contains neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent. While the UK Extension gives individuals some control over their personal data, this is not as extensive as the control they have in relation to their personal data when it is in the UK.’

On that first point, the ICO notes that, when using the Data Bridge, UK organisations ‘need to identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US certified organisation so it will be treated as sensitive information under the UK Extension’.

What if there’s a Schrems III?

There’s already been an attempt to take down the EU-US DPF, by a French MEP, which failed on … wait for it … 12 October 2023 the very day the Data Bridge came into force. That failed for rather technical reasons about the impact on the individual, not the correctness of the DPF adequacy decision. But it shows there are legal hoops to go through before a challenge can be successful.

Someone very adept at hoop-jumping is Max Schrems and NOYB has already said it will challenge the DPF. But what will it mean for the Data Bridge if the DPF fails in a Schrems III?

There’s good news for UK businesses on that.

Again, the Data Bridge is like UK GDPR

Just as UK GDPR is a UK law separate to the EU law that is EU GDPR, so the Data Bridge is a separate legal structure to the DPF.

On an IAPP webinar 12 October 2023, senior members of the UK and US governments and civil services confirmed that the UK-US Data Bridge is an independent decision that would continue even if there were to be a Schrems III taking down the EU-US DPF under EU GDPR, and the US would continue to operate the DPF even after a potential Schrems III.

It may have photocopied the entire DPF, crossed out EU and scribbled in UK, but it is a separate legal structure. For example, a CJEU decision against the EU-US DPF, or even a very unlikely EC determination that its original decision was flawed, will ‘only’ affect transfers from the EEA to the USA.

So a Schrems III at the CJEU, in and of itself, will not impact the Data Bridge.  In that sense, the Data Bridge does not sit on top of the DPF and that’s why we think it’s better to think of the Data Bridge like the UK GDPR.

The UK isn’t an island

OK, we know it is an island but we mean it can’t exist isolated from the rest of the world, hence the impetus to protect the $7 trillion annual UK-US trade with the Data Bridge.

What we mean is that, if the DPF falls, there will be huge political pressure in the EEA to look at the adequacy decision for the UK under EU GDPR if we’re still happily transferring data to the USA.

EO + DPF = strong protection

Don’t discount the likelihood that the DPF can withstand all attacks. The EC is confident that it has addressed the specific issues in Schrems II. Sure an EO can be overturned but as we’re seeing in the UK, laws passed by Parliament can be too, and for no good reason (EU Retained Law Bill and DPDI2 anyone?).

How this will play out in practice over the next few years is anyone’s guess, but the DPF and the Data Bridge are here now.

So what are your key actions?

5 actions now

If you’re a UK data exporter under UK GDPR:

1. Make sure you know your transfers to the USA.
2. Check to see if your US counterparty is on the List for both EU-US DPF and the UK-US Extension.
3. If they are, see how they’ve reacted to the Data Bridge and if and when it’s coming into their DPA and push them / impose it if you can and it’s commercially appropriate.
4. When relying on the Data Bridge, make sure you ‘identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US certified organisation so it will be treated as sensitive information under the UK Extension’. It’s necessary to identify the personal data in SCCs too, so this won’t be a major issue.
5. If they’re not, take the opportunity to review your DPA and in particular your TRA, making full benefit of relying on the EC and UK Gov findings that the Executive Order put in place measures that satisfy Schrems II.

Know your transfers!

Take a look at Keepabl’s award-winning Privacy Management Software which surfaces transfers from all your relationships in your Data Map so you can easily put in place appropriate safeguards.

Book your demo today!