October 11, 2023 at 05:19AM
The UK Extension to the EU-US Data Privacy Framework, also known as the Data Bridge, will allow for the transfer of personal data from the UK to the US starting on October 12. This is necessary due to the UK no longer being a member of the EU. However, the Information Commissioner’s Office (ICO) has expressed concerns about the Data Bridge, including potential gaps in protecting sensitive data and criminal offense data, as well as the lack of certain privacy rights for individuals. UK companies can still rely on other safeguards such as standard contractual clauses (SCCs) or binding corporate rules (BCRs) for data transfers to the US. However, there are specific requirements for transfers from the UK, and the use of EU SCCs for new agreements is no longer allowed. The ICO’s concerns regarding the Data Bridge will be important to observe as it comes into effect.
Key Takeaways from Meeting Notes:
1. The UK Extension to the EU-US Data Privacy Framework, also known as the Data Bridge, will take effect on October 12. This will enable certifying entities to transfer personal data from the UK to the US.
2. Without the Data Bridge, transferring personal data from the UK to the US would be prohibited under the UK General Data Protection Regulation (UK GDPR) unless transfer mechanisms like standard contractual clauses (SCCs) or binding corporate rules (BCRs) are used.
3. The European Commission adopted an adequacy decision in favor of the EU-US Data Privacy Framework (DPF) in July. This framework replaces the EU-US Privacy Shield, which was invalidated by the Court of Justice of the European Union (CJEU) in 2020.
4. Since the UK is no longer a member of the EU, the DPF does not automatically allow the transfer of personal data from the UK to the US. A separate Data Bridge is required for such transfers.
5. The Department for Science, Innovation, and Technology (DSIT) published the Data Protection (Adequacy) (United States of America) Regulations 2023 on September 21. These regulations provide that the US offers an adequate level of protection for certain types of personal data transfers.
6. In order for UK data exporters to rely on the Data Bridge, the US data importer must have self-certified to the DPF and the Data Bridge. The transferred data must be handled according to DPF principles by the US data importer.
7. The Information Commissioner’s Office (ICO) has expressed concerns about the Data Bridge. It points out that the Data Bridge’s definition of “sensitive data” does not match that of the UK GDPR and may not adequately protect special categories of personal data.
8. The ICO is also concerned about the protection of criminal offense data in the US, as it does not provide equivalent safeguards to those in the UK’s Rehabilitation of Offenders Act 1974. It is unclear how these protections would apply to data transferred to the US.
9. The Data Bridge does not provide the same privacy rights as the UK GDPR, including the right to challenge automated decisions and the right to be forgotten or withdraw consent.
10. If UK companies cannot rely on the Data Bridge, they can continue to use SCCs or BCRs as alternative safeguards for transferring personal data to the US. However, UK exporters should be aware of specific requirements for transfers from the UK.
11. UK exporters using SCCs must append the UK Addendum to the EU SCCs or use the UK International Data Transfer Agreement (IDTA) for new agreements. Existing contracts based on EU SCCs can be used until March 21, 2024.
12. UK exporters using SCCs must conduct a Transfer Risk Assessment (TRA) using either the ICO TRA tool or guidance from the European Data Protection Board (EDPB) before transferring personal data.
13. The ICO’s concerns about the Data Bridge are significant, considering the initial excitement when it was announced. It remains to be seen how the Data Bridge will operate in practice given these concerns.