The UK government has announced its decision to establish a data bridge with the US, enabling the free flow of personal data between the two regions.
Adequacy regulations have been laid out in the UK Parliament on September 21, 2023, to give effect to this decision, with the regulations due to come into force from October 12.
This follows the US Attorney General designating the UK as a ‘qualifying state’ under Executive Order 14086 on September 18. This will allow all UK individuals whose personal data has been transferred to the US under any transfer mechanisms, including under the UK GDPR, access to a newly established redress mechanism in the event that they believe that their personal data has been accessed unlawfully by US authorities for national security purposes.
UK Secretary of State for Science, Innovation, and Technology (DSIT), Michelle Donelan, therefore determined that this agreement does not undermine privacy protections for UK data subjects.
This means that from October 12, UK businesses can transfer personal data to the US without alternative mechanisms, and without completing transfer impact assessments and implementing additional transfer safeguards.
The data bridge was agreed in principle by the UK and US in June 2023. It represents a UK extension to the Data Privacy Framework agreed between the EU and US, which was confirmed in July 2023. Therefore, it is unlikely to cause issues for the UK’s own adequacy status with the EU.
The Data Privacy Framework replaces the previous Privacy Shield arrangement between the EU and US, which was ruled unlawful under the GDPR due to concerns that US law enforcement agencies could access personal data transferred to the US.
Unlocking Economic Opportunities?
Both the US and UK government have argued that the data bridge will unlock economic opportunities for businesses as well as facilitating innovation in areas like science and research.
Speaking to Infosecurity, Ieuan Jolly, partner and chair of Linklaters’ US TMT & Data Solutions Practice, based in New York, welcomed the announcement, stating it provides legal certainty for businesses on both sides of the Atlantic, in addition to fostering stronger ties between the two countries.
“The deal provides a level of legal certainty that businesses have been yearning for"
“The deal provides a level of legal certainty that businesses have been yearning for. With clear guidelines and safeguards for the cross-border transfer of personal data, it will enable companies to plan and operate with more confidence. This newfound certainty is particularly vital for industries reliant on data-driven strategies, such as technology, e-commerce and financial services,” commented Jolly.
He argued that the deal will enable businesses operating in the UK and US to navigate data privacy issues more seamlessly.
Jolly advised these businesses to proactively review their data protection practices and update their agreements and procedures to align with the new rules.
“Conducting thorough risk assessments and ensuring compliance with the requirements of the agreement will be crucial steps for companies operating in both jurisdictions,” he added.
Georgina Graham, privacy and technology partner, Osborne Clarke, said UK businesses should take steps to understand the extent to which their arrangements with US businesses could benefit from the new UK-US data bridge.
“This means checking whether those US businesses participate (or intend to participate) in the UK-US data bridge, checking the US businesses privacy policy (included within their Data Privacy Framework record) and checking whether the types of data they are transferring are covered by it,” she advised.
Challenges on the Horizon?
Peter Church, Counsel in Linklaters’ Global Tech Sector, based in London, warned that current legal challenges to the EU-US Data Privacy Framework are already underway, and “the fate of the UK extension is closely tied to the outcome of any challenge in the EU.”
He told Infosecurity: “If the EU-US Data Privacy Framework were to be invalidated by the Court of Justice of the European Union (CJEU) again, US companies might well just abandon the scheme and the UK Government may have to terminate the UK extension in order to preserve the UK’s adequacy status as regards the EU.”
Nevertheless, Church believes the significant enhancements made to US privacy laws by EO 14086 means that any legal challenge will likely struggle.
Edward Machin, a senior lawyer in Ropes & Gray’s Data, Privacy and Cybersecurity team, noted that the deal forms part of UK’s post-Brexit policy of liberalizing its data protection regime without straying too far from the GDPR. He believes the fact the data bridge mirrors the Data Privacy Framework “will help to assuage European concerns.”
However, Machin said that “the UK’s data transfer deals with other countries will continue to be subject to scrutiny both at home and abroad.”
He added that it will be interesting to observe whether privacy interest groups in the UK mount their own challenge to the UK Extension.