UK/US data bridge is a welcome development for business relations - Claire Mitchell

Transferring personal data to countries outside the UK requires consideration to ensure compliance with data protection law. To ensure individuals receive the equivalent legal protection they would under UK law, personal data can only be freely transferred to a country covered by an ‘adequacy decision’.

The EU Commission issues adequacy decisions and the UK passes ‘adequacy regulations’ which it calls ‘data bridges’. Having a data bridge means the UK deems that a country provides adequate data protection and allows a more straightforward transfer process to that territory. The UK has now piggy-backed on the EU’s adequacy decision covering the EU-US privacy framework for data transfers with the US.

To ensure both the data controller and receiver are legally bound to adhere to data protection principles, data transfers to countries without a UK data bridge will require additional safeguards before personal data can be transferred cross-border. Safeguards include: legally binding instruments, UK binding corporate rules, standard data protection clauses, codes of conduct, certification schemes and administrative arrangements with public bodies.

Relying on these safeguards also requires the organisation to carry out a transfer risk assessment, or TRA, which isn’t always straightforward. The UK extension to the EU-US Data Privacy Framework (DPF) certifies organisations for data sharing, meaning sharing data with these organisations no longer requires additional safeguards or TRAs. This will be welcomed as they are cumbersome.

Like bridges in place with Japan and Canada, the UK/US data bridge is a partial bridge and only covers organisations which sign up. For uncertified organisations, the rules remain unchanged.

The DPF is an opt-in system and organisations can self-certify online. Before sharing information with a US organisation, you must confirm they’re certified on the DPF list: https://www.dataprivacyframework.gov/s/.

Organisations in banking, telecoms and insurance will be automatically excluded as they do not fall under the jurisdiction of regulatory bodies facilitating the data bridge. Any organisations previously registered under the EU/US bridge must also amend their certification to include the UK following the extension.

If you aren’t satisfied the organisation meets the DPF requirements, continue to use the safeguards and TRA mentioned above before transferring data. Importantly, certification does not create a catch-all free pass for data sharing. For example, ‘special category’ information (i.e., relating to an individual’s health, religious beliefs, political opinions, ethnic origin etc) does not have an identical equivalent under US law and HR data (i.e., collected in employment) must be specifically included on the certificate. Sharing such sensitive information under the data bridge may still warrant extra consideration.

While the UK/US data bridge should be welcomed, organisations must be mindful of these caveats. The Information Commissioner voiced concerns about special category data and recommended it be clearly identified and labelled before sharing, as well as the lack of equivalent protection in US law to Article 22 UK GDPR on automated data processing and Article 17 on the right of erasure. Several other parties have also indicated an intention to challenge the framework at EU level. We anticipate future developments.

Claire Mitchell is a Trainee Solicitor, Anderson Strathern