The speed at which artificial intelligence has come to dominate the public consciousness can almost make you wistful for the days when the data protection discourse centered around international transfers.
The passing of the EU-U.S. Data Privacy Framework (DPF) earlier this summer meant that attention started to focus elsewhere. And with the announcement yesterday (21 September 2023) that the UK and U.S. governments have established a so-called UK Extension to the DPF, the loop is closed on the EU/UK/U.S. data transfer saga. Or, I should say, closed for now.
Much like the DPF, the UK Extension allows qualifying U.S. organisations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transport to receive personal data from the UK without having to rely on an alternative transfer mechanism under the UK GDPR. Although most U.S. organisations in the finance and telecoms sectors won’t be eligible to certify to the UK Extension, the software and technology businesses whose services are central to modern life and work – including the growth of the AI Industrial Complex – are qualified for the DPF and will also seek certification for the UK Extension, which takes effect from 12 October 2023.
If you are a U.S. organisation, you need to opt in to receiving personal data from the UK under your DPF certification. If you are based in the UK, before sending personal data to qualifying U.S. organisations you must confirm that they are certified to the DPF. Businesses on both sides of the pond should also update their privacy notices and data sharing/processing agreements to reflect that they may share or receive personal data under the UK Extension.
The cosmetic updates aside, there are two questions that often arise in discussions with clients and colleagues on international data transfers. Although these questions apply both to the DPF and the UK Extension, we should expect – or at least not be surprised by – some divergence in interpretation and application by European and British governments and regulators, particularly as the UK looks to strike a more liberal approach to data protection policymaking post-Brexit.
1. To DTIA or not to DTIA?
For anyone other than data protection geeks, conducting the transfer impact assessments (including the determination of supplementary measures) required by the CJEU’s Schrems II decision when transferring personal data to third countries felt a bit like living in a Hieronymus Bosch painting. With that in mind, Question 7 of the European Commission’s FAQs on the DPF made for very helpful reading, given that the Commission makes clear that the safeguards put in place by the U.S. government to secure adequacy under the DPF also apply to transfers made under other mechanisms (i.e., SCCs and BCRs).
That position now applies to the UK Extension. Does this mean that organisations in the UK which rely on alternative transfer mechanisms no longer need to complete DTIAs when sending personal data to the U.S.? It’s certainly arguable, but nevertheless I would suggest putting in place a short-form DTIA – and it really can be short – that refers to the relevant UK legislation (link here), the opinions of the Information Commissioner’s Office and the UK government on the UK Extension (links here, here and here).
2. Will the UK extension be challenged?
Maybe. It’s early days, but the types of organisations that would be most likely to mount a challenge – Big Brother Watch, Liberty, and so on – haven’t to my knowledge indicated their intention to do so. A possibly more interesting question concerns what happens if the DPF is struck down by the CJEU. A legal challenge to the DPF has already been submitted by a member of the European Parliament, and it has been reported that Max Schrems is gearing up to launch an attack of his own.
Although it requires the U.S. to put in place more robust protections for Europeans’ data than under previous transatlantic agreements, you’d be brave to say that the CJEU definitely won’t also strike down the DPF. In such a case, would the UK Extension have to fall? Not necessarily, although its continued viability would in part turn on whether the U.S. has the same appetite for maintaining a framework without its primary trading partner – and also whether the European Commission would consider that the continued operation of the UK Extension undermines the UK’s adequacy determination from the EU.
Subscribe to Ropes & Gray Viewpoints by topic here.
Authors
Stay Up To Date with Ropes & Gray
Ropes & Gray attorneys provide timely analysis on legal developments, court decisions and changes in legislation and regulations.
Stay in the loop with all things Ropes & Gray, and find out more about our people, culture, initiatives and everything that’s happening.
We regularly notify our clients and contacts of significant legal developments, news, webinars and teleconferences that affect their industries.