The EU has approved the EU-US Data Privacy Framework, meaning that businesses which certify under the EU-US Data Privacy Framework have a valid transfer mechanism to share personal data from EEA countries to the US. This approval is relevant for UK businesses that operate internationally and are involved with the transfer of personal data from the EU and to other UK businesses to the extent any data transfers they are involved with are subject to the EU GDPR.
The UK does not benefit from the new EU-US adequacy decision meaning, for the time being, UK businesses therefore still need to use transfer mechanisms such as the UK Addendum and the international data transfer agreement (IDTA) to transfer personal data from the UK to the US.
New EU-US Data Privacy Framework
On the 10 July 2023, the European Commission announced a new data transfer pact with the United States in the form of the EU-US Data Privacy Framework. This means that the European Commission has made an adequacy decision in favour of the US which businesses can make use of from the 11 July 2023. The Commission noted that new measures taken by the United States around limiting the US government's surveillance programme's access to EU data for national security purposes and the establishment of a Data Protection Review Court for Europeans, had addressed the Court of Justice of the European Union's previous concerns.
It is a case of 'watch this space' for what happens next for the EU-US Data Privacy Framework. US businesses wishing to benefit from the Data Privacy Framework will need to become certified under the Framework. Business groups have welcomed the deal and feel that it will reduce a lot of the compliance burden involved in transferring data from the EU to the US. However, privacy campaigners, including Max Schrems, have already said that it is inadequate and that they will be challenging the Data Privacy Framework before the Court of Justice of the European Union. It remains to be seen whether this latest adequacy decision can survive such a challenge.
WBD US has written an article which looks at what the EU-US Data Privacy Framework means for businesses, and the steps businesses need to take in order to self-certify under the new framework, which you can read here.
UK-US data bridge
On the 8 June 2023, the UK and US governments issued their Atlantic Declaration. The Atlantic Declaration relates to the UK-US partnership and to the commitment of the respective governments to work together across the fields of economic, technological, commercial and trade relations.
On the same day, the UK and US governments announced in a joint statement that the two countries have committed in principle to establish a "UK-US data bridge". The data bridge will represent the UK Extension to the EU-US Data Privacy Framework and would allow for the free flow of personal data between businesses in the UK and participating businesses in the US. This is a part of the Atlantic Declaration and a step which is described in the Atlantic Declaration as being "foundational to efforts to further innovation".
There is work to be done on both sides of the Atlantic to make this happen. The UK needs to finalise its assessment of US data protection laws and practices and carry out other technical work. The US needs to designate the UK as a qualifying state under Executive Order 14086.
A press release by the UK government explained that the UK government will continue to finalise its data bridge assessment taking into account the protection provided for personal data, the rule of law, respect for human rights and fundamental freedoms, and the existence and effective functioning of a regulator in the US. It will also formally consult the Information Commissioner (ICO), as per the requirements of the Data Protection Act 2018, and as set out in a memorandum of understanding between the ICO and The Secretary of State for Digital, Culture, Media & Sport relating to the role of the ICO in relation to new UK adequacy assessments. The press release notes that once the data bridge is finalised, it will allow personal data to be transferred securely and more freely from UK organisations to certified organisations in the US. It will also remove the need to rely on alternative data transfer mechanisms such as the UK Addendum and the IDTA, which the UK government views as too costly and time consuming.
So, at the start of June 2023, we saw a commitment for the UK and the US to work together on a data bridge which would provide a reliable mechanism for UK-US data flows. We do not yet know, however, the detail of what will happen next or the timings.
What happens next for the UK-US data bridge?
The UK government is in a busy period managing domestic crises such as the cost of living, high interest rates, strike action across the public sector and an ever looming general election as well as dealing with the impact of international events, including the war in Ukraine. The UK government is also working through a lot of new legislative developments as it seeks to review EU retained law and to look for opportunities for deregulatory reforms aimed at growing the economy and cutting costs for businesses.
That said, the fact that the EU-US Data Privacy Framework is now approved by the EU makes it more likely that a UK extension will be possible and that the timescales for putting this in place may be shorter than previously anticipated for the following main reasons:
- The UK, mindful of preserving its own adequacy decision with the EU, will take comfort from knowing that the European Commission has granted an adequacy decision for the EU-US Data Privacy Framework
- The approval of the EU-US Data Privacy Framework is likely to put additional political pressure on the UK government to resolve the UK Extension to the EU-US Data Privacy Framework with the US government as quickly as possible
- The UK will not want to be seen to fall behind other EU members states and has already expressed its wish to remove red tape for businesses and make it easier for British businesses to trade internationally.
The UK press release from the 8 June 2023 talked about the necessary technical work for the UK-US data bridge being completed in "the coming months" but this is evidently a priority item for UK government and perhaps we will now see those timescales contract.