After a long-awaited adequacy decision for the free flow of data from UK to US, on 21 September 2023 the UK Secretary of State for the Department of Science, Innovation and Technology (DSIT) took the decision to establish a data bridge for transfers of personal data between the UK and US. From 12 October, UK organisations are able to export personal data to US entities as long as these are certified to the UK extension to the EU-US Data Privacy Framework (UK Extension). This article aims to inform UK organisations exporting personal data in the US on the actions they need to take and the risks they should consider before the data transfers take place. This article refers particularly to the risky areas of such data transfers as identified by Information Commissioner Office (ICO) and suggests measures for the mitigation of such risks.
Background
On 10 July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework (DPF). The DPF consists of a set of principles that offer protections for personal data transferred from the EU to certified US organisations. The UK could not rely on this due to its exit from the European Union. Therefore, on 21 September 2023 the UK Secretary of DSIT established the UK-US data bridge (preferred UK term for adequacy) through the UK extension to the EU-US Data Privacy Framework. Hence, the protections that exist under the DPF will be extended to the transfers of personal data from UK organisations to certified US businesses without any requirements for the implementation of additional safeguards (e.g., International Data Transfer Agreement or a UK Addendum).
To support this decision, on 18 September 2023 the US Attorney General, designated the UK as a ‘qualifying state’ under Executive Order 14086. Therefore, all UK individuals whose personal data has been exported to the US under any transfer mechanisms (i.e. including alternative transfer mechanisms of articles 46 and 49 of the UK GDPR) will have access to the newly established redress mechanism. Hence, if the individuals believe that their personal data has been accessed unlawfully by US authorities for national security purposes, they are able to seek redress.
The adequacy regulations were laid before UK Parliament and entered into force on 12 October 2023. This practically means that from 12 October organisations in the UK will be able to transfer personal data to US organisations certified to the UK extension, without the need to rely on alternative data-transfer mechanisms and without needing to carry out a transfer risk assessment.
The Information Commissioner’s Office’s response
Despite organisations widely embracing the UK Extension, the ICO expressed concerns regarding four particular areas that could entail risks to UK data subjects if no protective measures are identified and put in place by organisations. According to the Memorandum of Understanding signed between the ICO and DSIT on the role of the ICO regarding the UK adequacy assessments and regulations, the ICO does not make his own assessment of the adequacy of another country. The ICO can only provide an independent assurance on the process followed and the factors that DSIT officials take into consideration. Hence, the ICO stated that while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection, he identified areas of possible risks. For this reason, the ICO provided a “qualified assurance to Parliament as it considers the regulations”.
More specifically, the ICO highlighted that:
- The UK Extension includes a definition of ‘sensitive data’ which does not match that of article 9 of the UK GDPR. The DPF contains an ‘umbrella’ provision, which states that sensitive data can be any data qualified as sensitive by the data exporter. Hence, UK organisations will need to identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US certified organisation so it will be treated as sensitive information under the UK Extension.
- For criminal offence data, some risks may remain despite the labelling of data as sensitive. According to the ICO, the US does not offer protections equivalent to those laid down in the UK’s Rehabilitation of Offenders Act 1974 (Act). The Act sets limits on the use of data relating to criminal convictions when those convictions have been ‘spent’ following the relevant rehabilitation period, including the ability to request that such data be deleted. Hence, the ICO questions how these protections would apply once the information has been transferred to the US.
- The UK Extension does not provide for a substantially similar right to Article 22 of the UK GDPR which protects individuals from being subject to decisions based solely on automated processing. Under the UK Extension, individuals are not equipped with the right to obtain a review of an automated decision by a human.
- The UK Extension does not establish substantially similar rights to these of Articles 7 (unconditional right to withdraw consent) and 17 (right to be forgotten) of the UK GDPR. In the ICO’s opinion, while the UK Extension gives individuals some control over their personal data, this is not as extensive as the control they have under UK GDPR.
Key steps and actions
In order for UK organisations to lawfully transfer personal data from UK to US under the UK Extension, they should take the following checks and actions:
- Search the DPF list and confirm that the US organisation has signed up to the UK Extension and holds an active certification status.
- For instances of HR data transfers, organisations should confirm that HR data is covered by the organisation’s DPF commitments. This can be done by checking the relevant privacy policy or policies for HR data and/or non-HR data in the ‘Privacy Policy’ section of the importer’s DPF program record.
- Explicitly identify certain types of data as ‘sensitive’ to ensure it attracts the appropriate protections under the DPF. Specifically, genetic data, biometric data for the purpose of uniquely identifying a natural person; data concerning sexual orientation or criminal offense data must be explicitly identified and labelled as ‘sensitive’.
- Review the US organisation’s privacy policies to be aware of their commitments and whether these correspond to the UK organisation’s data protection standards.
- Update their policies and documents to reflect any changes affected by the transfers to the US.
If UK organisations do not rely on the UK Extension, they will have to implement alternative data transfer mechanisms (e.g., the International Data Transfer Agreement or the UK Addendum) or rely on applicable derogations under Article 49 of the UK GDPR. In these instances, organisations may also need to carry out a transfer risk assessment.
For transfers of personal data between the UK and US, the less burdensome and time-consuming requirements will be a welcome development for businesses and organisations. However, the ICO’s opinion on the risk areas is significant. It will be interesting to follow how the UK Extension will operate in practice. UK organisations will need to monitor the developments in this area considering the long history of transatlantic data transfer mechanisms (namely Safe Harbour and Privacy Shield) being invalidated by European Courts. However, given that the UK has performed its own assessment of US adequacy independently from EU, a possible legal challenge before European Courts will not necessarily cause a domino effect for the UK, as the UK courts will make their own independent judgement.
In the meantime, organisations who transfer data across to the US may need to update their processes to reflect this new adequacy decision, as outlined above. Trilateral’s Data Protection and Cyber-Risk Team has extensive experience advising and assisting organisations in ensuring they meet their obligations in the area of international data transfers. For more information, please contact our advisors or email dcs@trilateralresearch.com to discuss your requirements. Our team would be happy to help.
