bto solicitors - Corporate & Commercial Business Lawyers Glasgow Edinburgh Scotland

  • "really fights your corner..."
    "really fights your corner..." Chambers UK
  • "Consistently high-quality work and client-friendly approach."
    "Consistently high-quality work and client-friendly approach." Chambers UK

The UK Extension to the Data Privacy Framework – Bridging the Gap?

06 November 2023

The UK-US “data bridge” came into force in October. It follows a period in which transferring data to the US was prohibited under the UK GDPR without a transfer mechanism in in place.

The purpose of the US-US data bridge is to ensure that data transferred to the US will receive the same level of protection that it does under the UK GDPR. It provides a more reliable way for UK organisations to share personal data with the US, which is intended to build growth for businesses, encourage innovation, promote higher quality services and lower prices for consumers.

    Lily Morrison

Lily Morrison
Solicitor

The legal whirlwind in recent years on US data sharing mechanisms paints the picture behind new data bridge. Previously, personal data could be transferred to US organisations under the EU Privacy Shield framework. This was struck down in Schrems v Facebook Ireland (C-311/18) after Mr Schrems complained that the US did not provide adequate protection, since US authorities could access personal data for national security purposes.

The UK government confirmed in its new data bridge guidance that the US has designated the UK as a “qualifying state” which allows any UK individuals whose personal data has been transferred to the US access to redress if their data has been unlawfully accessed by US authorities.

Crossing the data bridge – how does it work?

The data bridge is a UK Extension to the Data Privacy Framework.

US organisations can sign up to the Data Privacy Framework to certify that any incoming personal data belonging to UK individuals will receive treatment that is consistent with UK law.

UK organisations can transfer personal data to US organisations in reliance of the certification. If personal data requires to be transferred to an organisation which is not signed up to the framework, an alternative transfer mechanism to protect the personal data must still be in place.

This should be a welcome change for UK organisations looking to share personal data with the US. It goes some way to removing the onerous burden of performing due diligence and seeking federal legal advice on data protection in order to ensure appropriate alternative transfer mechanisms are in place.

The EU has also issued an adequacy decision in respect of the EU-US Data Privacy Framework which, in place of the now cast aside Privacy Shield, allows EU organisations to transmit personal data to certified US organisations. We previously issued an update on the EU-US Data Privacy Framework in July.

It’s not a two-way street

The UK government is clear that the data bridge is not reciprocal. Its purpose is not to allow the free flow of data to and from the US; rather, it aims to ensure that UK individuals’ data will receive a UK GDPR level of protection when it is transferred to another country.

Cracks in the bridge?

The ICO is not entirely satisfied with the new data bridge.

In its assessment it has raised concerns with the definition of “sensitive information” which does not specify all the categories listed under Article 9 of the UK GDPR. In an attempt to catch all sensitive information not explicitly listed, all sensitive information “identified and treated” as such by UK organisations must be treated accordingly by US importers. However, there is no requirement under the UK GDPR to identify information as sensitive. In practice, this may see sensitive information slip through the cracks.  

The ICO has also raised questions about differences in UK and US law. In the UK, limits are placed on the use of criminal conviction data which has become spent – the US does not have a similar rule and so it is not clear how criminal conviction data, which becomes spent after it has been transmitted, would be treated in the US.

The ICO is further concerned that the data bridge does not contain some rights which we now recognise as integral to the UK GDPR: a right to obtain review of an automated decision by a human, a substantially similar rule to the right to be forgotten, or an unconditional right to withdraw consent.

Whether this causes any issues in practice remains to be seen – you could say we will cross that bridge when we come to it.

Next steps

While the new bridge paves the way for an easier route by which to share data, some organisations have already gone to the trouble of putting alternative transfer mechanisms in place. For those organisations more work may be required in the first instance to unwind those transfer mechanisms and instead rely on the UK-US data bridge, where appropriate. UK organisations that entered standard contractual clauses (SCCs) for transfers to the EU and US can now rely on the new adequacy decisions instead of the SCCs.

If you are considering making use of the UK-US data bridge, or have any questions about your current data sharing practices, please don’t hesitate to get in touch.

Lily Morrison, Solicitor: lmo@bto.co.uk0131 222 2939

Related Links

“The level of service has always been excellent, with properly experienced solicitors dealing with appropriate cases" Legal 500

Contact BTO

Glasgow

  • 48 St. Vincent Street
  • Glasgow
  • G2 5HS
  • T:+44 (0)141 221 8012
  • F:+44 (0)141 221 7803

Edinburgh

  • One Edinburgh Quay
  • Edinburgh
  • EH3 9QG
  • T:+44 (0)131 222 2939
  • F:+44 (0)131 222 2949

Sectors

Services