The European Commission adopts new adequacy decision for EU-US data flows — a UK perspective
The UK and the US have committed in principle to establish a ‘data bridge’ for the UK extension to the EU-US Data Privacy Framework.
The long-awaited and revised EU-U.S. Data Privacy Framework (“DPF”) dubbed ‘Privacy Shield 2.0’ was finally adopted on 10 July 2023. This follows the previous invalidation of the Safe Harbor and Privacy Shield schemes under the Schrems cases. The purpose of this framework is to ensure the US adopts an adequate level of protection comparable to that of the EU for personal data transferred from the EU to the US. This decision allows personal data to flow safely from the EU to US companies participating in the Framework, without having to put in place additional data protection safeguards. It is proposed that the UK-US ‘data bridge’ will be an extension to this agreement.
Overview of the EU-US DPF
An adequacy decision from the EU Commission facilitates the transfer of personal data from the EU to third countries. The EU GDPR prohibits transfers of personal data in the absence of adequate safeguarding mechanisms which are comparable to the level of protection that they implement, subject to limited exceptions. The European Commission has held that data transferred to companies located in the US that certify their participation in the DPF are subject to a standard of protection which is essentially equivalent to that of the European Union. The European Commission has said that the DPF introduces safeguards that address the concerns raised by the European Court (“CJEU”), most notably, that US intelligence agencies’ access to EU data would be limited to what is necessary and proportionate, and that EU citizens would be able to raise complaints before a new Data Protection Review Court (“DPRC”) established in the US.
Although this change is a step in the right direction, it has been criticised by the European Data Protection Board, the European Parliament, and others for not going far enough. It has also been argued that reform to US surveillance legislation is needed to address the issues the CJEU found. Time will tell how, and if, this will be challenged.
I am a UK business or individual based in the UK. Why is this relevant to me?
This sets the stage for the UK-US data bridge.
On 8 June 2023, US President Joe Biden and UK Prime Minister Rishi Sunak announced that they had committed in principle to facilitate the free flow of personal data between the UK and the US through a new ‘data bridge’, which in theory will be a UK extension to the DPF, aimed at providing a robust and reliable mechanism for transatlantic flows of personal data. This means US companies who are approved to join the framework would be able to receive UK personal data under the new data bridge. The UK-US data bridge, when finalised, would constitute a UK-issued adequacy decision.
“A data bridge would avoid the need for businesses to utilise costly and inefficient alternative transfer mechanisms, such as individual contractual clauses, when transferring personal data”, said the UK Government.
There are several benefits with implementing a data bridge for both sides of the Atlantic, including those mentioned above. From stimulating economic growth and encouraging businesses to operate on a global scale, to enabling businesses to share crucial information which can enhance life-saving research and encourage science and innovation across borders. This will strengthen the rights and safeguards of individuals, ensuring robust and reliable data flows, and reduce burdens on business which are the key pillars underpinning the commitment in principle.
When will the UK-US data bridge be implemented?
The UK Secretary of State for Science, Innovation and Technology, Chloe Smith, and US Secretary of Commerce, Gina M. Raimondo, also issued a joint statement regarding this topic. It stated that “This announcement represents the UK’s intent to establish a data bridge for the UK Extension to the EU-US Data Privacy Framework, subject to the UK’s data bridge assessment and further technical work being finalised, and dependent on the US designation of the UK as a qualifying state under Executive Order 14086.” Consultation with the Information Commissioner will be required under the Data Protection Act 2018, however, it appears that this will not take too much longer. Watch this space.
A new UK-US data bridge is welcome news for our UK businesses which transfer data to the US. There has been uncertainty around this issue for some time and clarity will assist and potentially simplify international dataflows. That said, given many commentators complaints associated with the DPF, it will be interesting to see how any developments unfold. Weightmans will be tracking this closely and will provide further details as it progresses.