The EU-US Data Privacy Framework and what this means for the UK
In June this year both the UK and the US committed 'in principle' to establish a UK extension to the EU-US Data Privacy Framework (the EU Framework) creating a ‘data bridge’ to facilitate the free flow of personal data between the UK and the US.
On 10 July, the EU and the US adopted its adequacy decision for the EU Framework. In this update the Trowers & Hamlins' Data Protection Group looks at the EU Framework and what this could mean for UK businesses.
The current position in the UK
The US is one of the UK’s leading trading partners and according to the UK official press release, in 2021 about 30% of the UK’s total data-enabled services exports were to the US.
Despite this relationship, burdensome red tape under the UK General Data Protection Regulation means that in most cases UK businesses which want to send personal data to the US are prohibited from doing so unless adequate data transfer mechanisms are put in place, such as EU standard contractual clauses with a UK addendum, the UK International Data Transfer Agreement, or binding corporate rules.
Where a contractual mechanism is used for an international transfer, a transfer risk assessment must also currently be undertaken by the UK entity, which involves assessing the risk involved to personal data in undertaking the transfer. These assessments can be burdensome and time consuming as they involve assessing not only the local laws which apply to the recipient but also matters such as data security and the recipient's likelihood to comply with UK data privacy legislation.
The implementation of a UK-US data bridge would help manage the flow of personal data and ensure the safety of international transfers between the UK and the US and allow these to take place in a much easier and faster fashion. The UK government has stated its view that establishing a UK-US ‘data bridge’ will make it easier for around 55,000 UK businesses to transfer personal data freely to certified US organisations without cumbersome red tape, translating into an estimated £92.4 million in direct savings per year.
It is not clear what this figure is based upon but the numbers in play based upon the UK government's statement are significant.
The EU Framework
The EU and the US have after lengthy negotiations reached commitment over the EU Framework which will no doubt become fundamental to commerce and trade investment between the US and the EU.
The EU Framework is the third iteration of a data transfer framework between the EU and the US, the first 'Safe Harbor' framework having been deemed invalid and replaced by the 'Privacy Shield' framework in 2016, which was then also declared invalid on 16 July 2020. In both cases the Court of Justice of the European Union found that there was potential for the US government to carry out bulk surveillance of EU data subjects which invalidated the framework in place. Subsequently, in October 2022, the White House issued an executive order to establish principles-based safeguards governing intelligence-gathering and surveillance activities.
The European Commission has now concluded following the issue of the October 2022 executive order that the US can ensure an adequate level of protection for EU personal data using the new EU Framework, meaning data can now flow safely between the EU and US organisations which are certified under the EU Framework without having to put additional contractual international safeguards in place and undertake transfer impact assessments.
To gain certification under the EU Framework, US organisations are required to publicly declare their commitment to comply with its principles on notice, choice, accountability, security, data integrity and purpose limitation, access and recourse, and enforcement and liability. Organisations are required to make their privacy policies available and to ensure they are fully implemented.
Those organisations which are able to successfully demonstrate that they meet the requirements of the framework and obtain certification will benefit from the advantages of a valid transfer mechanism for receiving personal data from the EU.
The potential impact for UK businesses
Post-Brexit, EU decisions no longer have direct applicability within the UK. This means that whilst UK businesses can rely upon the EU-US decision in relation to transfers of personal data which are subject to EU GDPR, they still cannot currently rely upon this for transfers of data from the UK to the US.
The UK government has reached agreement in principle with the US to put in place a new data bridge between the two countries, which would be a UK extension to the EU-US data bridge.
Hopefully the agreement of the EU-US data bridge means that the UK version can be expected imminently – the UK government will not want it to be more cumbersome for UK businesses to deal with the US than it is for EU businesses.
Once implemented, the ‘data bridge’ will speed up processes for businesses, reduce costs and increase opportunity by making it easier for UK businesses to operate and trade with the US. It will also allow personal data to be transferred securely and more freely from UK organisations to certified organisations in the US and remove the need for contractual transfer mechanisms and transfer risk assessments, which can be costly and time consuming.
Being able to share data securely with the US without restrictions will be an important milestone for UK businesses. The establishment of a data bridge will drive transatlantic research and innovation, and will make it easier for UK businesses to operate and trade internationally. However, that is not to say that the implementation of data bridges are not without their challenges and privacy campaigners have already expressed concern over the adequacy of the EU-US decision. It remains to be seen if and how this will affect the UK's decision. It is worth noting that the UK entered into a landmark data decision with South Korea to put a data bridge in force between the two countries with effect from 19 December 2022 and that this decision was broader than the EU's adequacy decision. As such it may well be that the UK data bridge actually goes further than the EU Framework.
At the moment there is still work to do on both sides of the Atlantic before a UK extension to the EU-US data bridge is implemented. The UK is finalising its assessment of the adequacy of US data protection laws and practices, taking into account the protection provided for personal data, the rule of law, respect for human rights and fundamental freedoms, and the existence and effective functioning of a US regulator.
The UK and the US have also announced new measures under the 'Atlantic Declaration' to work together upon matters such as reducing vulnerabilities across critical technology supply chains (including a new civil nuclear partnership), holding an international summit on AI safety, collaborating on research to entrench UK and US leadership in the most important future technologies and finding new opportunities to invest in each other's economies.
The timings or what will happen next are not yet confirmed but is anticipated that a UK-US data bridge will be established this year, and that the UK and US will continue working together as part of wider discussions on an inclusive and responsible digital transformation package, including the regulation of artificial intelligence, which is dealt with very differently between the US and the EU's proposed Artificial Intelligence Act.
UK organisations should continue to monitor any developments around the implementation of a UK-US data bridge but should continue to use appropriate transfer mechanisms including transfer risk assessments until this is established.
For further information on how your organisation's data transfer mechanisms might be affected by the implementation of the EU Framework, or any future implementation of a UK-US data bridge, please contact our Data Protection Team.