The EU-US Data Privacy Framework (DPF) is the replacement for the Privacy Shield mechanism for data transfers between the EU and USA. Since its launch on 10th July, UK companies have been waiting for a UK addition to this framework. The European Commission has recognised the DPF as ‘adequate’, meaning that participants are considered to provide an equivalent level of protection for personal data to EU companies bound by GDPR.
The UK Department of Science, Innovation and Technology (DSIT) recently rewarded the patience of British companies. It announced that the UK-US Data Bridge extension to the DPF will be active from 12th October, following regulations being issued to Parliament for the Data Bridge’s approval. Under this framework, the UK government has issued a similar, limited ‘adequacy decision’ with respect to the US. This will now allow UK organisations to transfer data more easily to their US partners and service providers.
As a result, organisations using the DPF and Data Bridge to send and receive data are not required to comply with additional paperwork. Countries without an adequacy decision under the GDPR would usually need to carry out extra work. This includes putting in place International Data Transfer Agreements (ITDAs) and conducting Transfer Risk Assessments (TRAs) before deciding whether to transfer their data and what safeguards will be needed.
It is expected that the US Big Tech platforms, and many other organisations likely to do business in the EU and UK, will accede to the EU-US DPF and the Data Bridge. This is likely to be to the benefit of many UK organisations, since the growth of cloud computing (which usually uses one of three US-headquartered platforms) has made data transfers to organisations based in the United States both widespread and crucial to business operations.
How will the UK-US Data Bridge arrangements work?
The Data Bridge arrangement essentially acts as a UK extension to the EU-US DPF. This allows UK companies to transfer data to US organisations that are certified as complying with the Framework controls.
For compliance with the Data Bridge, obligations are chiefly on US ‘data importers’, which could range from software-as-a-service providers to retail, or marketing partners based in the United States. To receive personal data from the UK, these US organisations must already be registered under the EU-US DPF and commit to and implement all its principles, then conduct a self-certification confirming that it has done so.
These principles include:
- providing notice to individuals,
- giving them access to their personal data,
- providing opt-outs from new data processing or data sharing,
- ensuring accountability for onward transfers,
- maintaining the security of personal data,
- limiting personal to the information that is relevant for the purposes of processing.
There are also processes for recourse for individuals and enforcement of the principles through the US legal system. US organisations that are still registered under the old Privacy Shield certification can be grandfathered over to the DPF by 10th October 2023. The US organisation must also sign up to the UK-US Data Bridge extension to use this as a basis for transferring data from the UK. The DPF only covers transfers from the EU. They must also update their privacy notices to identify they’re using these frameworks.
UK-based data exporters planning on sending data to a US partner using the Data Bridge should use the DPF website to confirm whether the partner is an organisation listed as participating in the DPF and the UK Data Bridge extension. Regulations also require UK companies to update their privacy notices to identify the data transfers to the US via the Data Bridge.
More generally, all UK organisations should review their supplier lists to confirm if any of their US-based providers are certifying to the DPF and Data Bridge. If so, Records of Processing Activities will need to be updated, and international data transfer agreements will no longer be needed. However, conducting these actions will represent a significantly smaller headache for UK organisations compared to the current ‘additional safeguards’ required for international data transfers.
Although the Data Bridge provides a respite from the intricacies of IDTAs and TRAs for frequent transfers to US-headquartered partners – such as cloud service providers – the journey for UK companies may not yet be over.
By piggybacking onto the EU-US DPF, the UK also demonstrates the difficulty in diverging from the GDPR and EU data protection arrangements – which causes hazards of its own. noyb, the privacy rights organisation that successfully challenged the Privacy Shield, has indicated a desire to contest the EU-US Data Privacy Framework before the European Court of Justice. This is on the basis that the legislation that allows US law enforcement authorities to access EU citizens’ data stored in the United States remains in place.
As such, if the DPF collapses, the Data Bridge will fall with it. However, noyb has yet to launch any legal action and, unless they do, this will be a useful option for UK organisations looking to work with US partners and service providers that have certified themselves against the requirements.