On 8 June 2023, the UK Government announced that it had reached a commitment in principle to establish a UK extension to the EU-U.S. Data Privacy Framework. The commitment in principle forms part of a broader “Atlantic Declaration” between the UK and U.S., which sets forth an action plan to cooperate on several economic challenges including data flows, technology supply chains, AI development, and research in future technologies (such as 5G and 6G telecoms, quantum computing and semiconductor development).
Once in force, the UK-U.S. data bridge will permit organisations to transfer personal data subject to the UK GDPR to participating U.S. organisations without the need to rely on data transfer safeguards or derogations.
Background
The UK GDPR (the GDPR as implemented into the UK following the UK’s departure from the EU) generally prohibits the transfer of personal data outside of the UK unless: (i) the importing country or organisation has been deemed to have an adequate level of protection over personal data transferred; (ii) data transfer safeguards have been entered into between the parties; or (iii) certain prescribed derogations are applicable to the relevant transfer. A data bridge functions as a finding of adequacy by the UK Government, and would thus permit the free flow of data between the UK and the adequate country or organisation under (i) above.
What the commitment in principle reveals about the UK-U.S. data bridge
Although the UK-U.S. data bridge remains some way from completion, the commitment in principle includes the following:
- Identification of the key pillars of the UK-U.S. data bridge:The UK-U.S. data bridge aims to: (i) strengthen the rights and safeguards of UK individuals; (ii) ensure robust and reliable data flows; and (iii) reduce burdens on businesses. The strengthening of individual’s rights and safeguards is a clear response to wide ambit of U.S. signal intelligence activities identified in Schrems II, and the emphasis on durable data flows indicates a clear intention to construct the data bridge in a manner robust enough to withstand future legal challenges. The pro-business intent of the UK Government is also evident in the data bridge – as the U.S. is the UK’s most important trading partner and a priority destination for data transfers, the UK-U.S. data bridge thus aims to reduce the burdens of approximately 55,000 data-driven UK businesses, with estimated total cost savings of approximately £92.4 million annually.
- Interaction of the UK-U.S. data bridge with other data transfer mechanisms: The UK-U.S. data bridge permits organisations to leverage the work set out in the generality of the UK-U.S. data bridge (i.e. the proposed redress mechanisms in the U.S.) when considering the risks presented by UK to U.S. data transfers in the context of transfer risk assessments. The commitment in principle does not expressly indicate which data transfer mechanism would be facilitated by the UK-U.S. data bridge. However, it is assumed that this refers to other commonly used data transfer mechanisms such as the International Data Transfer Agreement or Addendum and Binding Corporate Rules.
- A description of the further “technical work” required on the UK-U.S. data bridge: The commitment in principle states that the UK-U.S. data bridge is subject to further “technical work” in the coming months before the UK Government determines whether to establish the UK-U.S. data bridge. Although the UK Government did not elaborate further on what such technical work entails, this is likely to at least involve:
- The finalisation of certification requirements, as it is currently unclear what the certification requirements participating U.S. organisations must adhere to, or the extent such requirements will replicate the certification requirements of the EU-U.S. Data Privacy Framework; and
- The U.S. Attorney General’s designation of the UK as a “qualifying state” under Executive Order 14086 (EO 14086) (for more information on the Executive Order, see our previous alert here). Under Section 3(f) of EO 14086, the U.S. Attorney General is authorised to designate a country as a qualifying state if the U.S. Attorney General determines that, in consultation with the U.S. Secretary of State, U.S. Secretary of Commerce and the U.S. Director of National Intelligence: (i) the relevant country’s laws require certain safeguards to be implemented over persona data relating to U.S. individuals in the conduct of signals intelligence activities; (ii) the relevant country permits or is anticipated to permit the transfer of personal data between it and the U.S. for commercial purposes; and (iii) such a designation would advance the national interests of the U.S.
- Detail of the further review of the UK-U.S. data bridge required by the UK: Before making any final decision on adoption of the UK-U.S. data bridge, the UK government will assess it further, taking in account the protection provided over personal data subject to the UK GDPR; the rule of law; respect for human rights and fundamental freedoms; and the existence and effective functioning of the data protection regulator. In addition, pursuant to a memorandum of understanding signed between the UK Government and UK data protection regulator, the UK Secretary of State is required to further consult the UK data protection regulator prior to making UK adequacy regulations, and the outcome of this consultation process is likely to be influential in the UK Government’s final decision to adopt the UK-U.S. data bridge.
- Predicted timeline: The UK Government noted that the UK-U.S. data bridge is a key deliverable for 2023. As the EU-U.S. Data Privacy Framework remains on track to come into force in the summer of 2023, it is likely that the UK-U.S. data bridge will come into force in the second half of 2023.
Additional and persisting questions relating to the UK-U.S. data bridge
Although the publication of the commitment in principle is helpful, several areas of uncertainty remain, including:
- The scope of the UK-U.S data bridge remains unclear: It is unclear whether the UK-U.S. data bridge will follow the scope of the EU-U.S. Data Privacy Framework, or have narrower or a wider scope of applicability. In relation to the EU-U.S. Data Privacy Framework, EO 14086 indicates that only organisations that are subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission or the U.S. Department of Transportation may be eligible for certification under EU-U.S. Data Privacy Framework. The UK has previously exercised a discretion to distinguish itself from the EU approach, as it did when agreeing a data bridge with South Korea which goes further than the European Commission’s adequacy decision (EU Korea Adequacy Decision) and permits data transfers that involve the transfer of personal data relating to credit information, which EU Korea Adequacy Decision expressly excludes (for more information on the UK-South Korea data bridge, see our previous article here).
- Concerns regarding challenges to the EU-U.S. Data Privacy Framework persist: Unlike the UK’s data bridge with South Korea, the UK-U.S. data bridge is envisaged to operate as a “UK Extension” to the EU-U.S. Data Privacy Framework. This means that the UK-U.S. Data Bridge will still be linked in some form or manner to the EU-U.S. Data Privacy Framework. While the EU-U.S. Data Privacy Framework is designed to address the issues raised in Schrems II, concerns remain, particularly around the continued bulk collection of personal data by U.S. signals intelligence, alignment of concepts under EU law, and the redress mechanisms outlined in EO 14086. In addition, these concerns have been raised by notable EU public bodies, such as the European Parliament and the European Data Protection Board (for more information, see our previous alert here and here). In the event of any legal challenges or potential invalidation of the EU-U.S. Data Privacy Framework, it is unclear to what extent the UK-U.S. data bridge will be affected, or if it can exist independently of the EU-U.S. Data Privacy Framework.
- Unclear impact on UK adequacy: The European Commission remains empowered to suspend, repeal or amend its UK adequacy decision should the UK’s data protection regime deviate too far and be deemed not to offer an adequate level of data protection over EU personal data. It is not clear whether the UK-U.S. data bridge, either on its own or in conjunction with the proposed reform of data protection law (for more information on such reforms, see our alert here), will impact the EU’s UK adequacy decision.
Takeaways for organisations and conclusion
As trans-Atlantic data flows remain a critical element of the digital economy between the UK and U.S., the finalisation of the UK-U.S. data bridge is eagerly anticipated by many organisations. While the commitment in principle is beneficial, it is only a preliminary step towards a finding of U.S. adequacy by the UK. As such, organisations must continue to enter into and rely on existing data transfer mechanisms (or derogations, if applicable) to export personal data subject to the UK GDPR to the U.S.
Organisations should, however, reflect on the commitment in principle when conducting transfer risk assessments for the export of personal data to the U.S., as the content provides helpful guidance to mitigate risk in transfers of personal data subject to the UK GDPR to the U.S.
Other priority destinations for data bridges have also been announced, including countries such as Australia, Singapore, the Dubai International Finance Centre, and Colombia, although the timetable for the implementation of such data bridges remain unclear. We are watching this space for updates.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.