Third time lucky with US UK Data Transfers?
Third time lucky with US UK Data Transfers?
The distance between London and Washington is 3,674 miles. For data transfers this journey has proven difficult. We have had the Safe Harbor and the Privacy Shield – mechanisms agreed by the EU and US to facilitate the flow of data from the EU to the US. Both were set aside by the European Court of Justice. Essentially the surveillance powers reserved by the US Federal Government meant that US companies could not guarantee EU citizens the same extent of privacy rights as afforded by European data protection laws.
We now have the third attempt - the Data Privacy Framework (EU-US) and the Data Bridge (UK-US).
This note is for guidance. The liabilities attaching getting data transfers wrong necessitate that proper advice is taken.
Introducing the Data Privacy Framework and the Data Bridge
The term ‘data bridge’ refers to the adequacy decision granted by the UK to the US.
The Data Bridge comes in the form of an extension to the Data Privacy Framework (the “DPF”) which was approved by the European Commission in July. Due to Brexit, the DPF did not apply to transfers of personal data from the UK to the US. The UK therefore had to craft a standalone arrangement with the US which was introduced last month. The UK is “piggy banking” the arrangements agreed by the EU with the US.
In addition to the separate analysis undertaken by the EU, the UK assessed relevant US laws and practices relating to the access and use of personal data by US agencies for the purposes of national security and law enforcement. This means that the UK Government is comfortable that personal data processed in the US will have adequate security and privacy rights – maintaining the level of protection for UK individuals’ personal data. Underlying this is the extra territorial jurisdiction of the GDPR (whether “UK GDPR” or “EU GDPR”) which mandates that all personal data is processed in accordance with the principles of the GDPR.
Therefore UK/EU businesses cannot transfer personal data to anywhere unless the business is satisfied that these privacy rights will be upheld. This explains why many European operations of US “big tech” companies are headquartered in Ireland.
The Data Bridge allows the transfer of data from the UK to the US (and back), but does not deal with flows of data from the UK to other countries.
The DPF is a bespoke, opt-in certification scheme for US companies, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the US Department of Commerce. The DPF includes a set of enforceable principles and requirements that must be certified to, and complied with. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. Absent that, organisations will not be able to join the DPF. US organisations who have been certified to the DPF can opt in to receiving data from the UK.
It is not the case that every transfer of personal data from the EU / UK to the US is now deemed to be “safe” but rather that transfers to US based organisations which have understood the DPF principles and been certified by the US Department of Commerce are deemed to be safe recipients of personal data. Once a US organisation has been certified it will be listed on the Data Privacy Framework List (the DPF List) on the DPF website.
Unlike the Privacy Shield, the Data Bridge based on the Data Privacy Framework gives UK citizens an independent and binding redress mechanism in the established Data Protection Review Court if they believe their personal data was collected or processed through US signals intelligence in a manner that violated applicable US law. Time will tell whether the European Court of Justice is satisfied with this.
Making life easier? - take aways for UK Businesses
UK companies can transfer personal data to US organisations certified to Data Bridge without the need for “standard contractual clauses” or binding corporate rules. The UK Government has a checklist
In any due diligence exercise with the US supplier the certification must be obtained and retained by the UK company.
If the US company is certified there is no need to conduct a transfer risk assessment.
But where the data carries a degree of risk (i.e. financial or health) the UK companies may wish to request for specific information regarding firewalls, encryption etc or enquire whether there have been any dealings with the US Department of Commerce or complaints brought by US data subjects. That is not mandatory but reflects best practice.
Privacy policies must be updated so UK citizens are aware of this data transfer mechanism.
Special category and sensitive data can be shared with US organisations under the Data Bridge, however this must correctly be identified by UK organisations as such when it is being shared.
Gaps in the Bridge?
Only US organisations subject to the jurisdiction of the FTC or the DoT are currently eligible to participate in the DPF/Data Bridge. Those US organisations not subject to the jurisdiction of either the FTC or DoT — for example, banking, insurance, and telecommunications companies — are unable to participate in the DPF/Data Bridge.
Journalistic data defined by supplemental principle 2(b) of the DPF is not subject to the requirements of the DPF. Therefore, such data cannot be transferred under the Data Bridge.
Where criminal offence data is proposed to be shared under the Data Bridge as part of human resources (HR), US recipient organisations are required to indicate that they are seeking to receive such data under the DPF/Data Bridge. The ICO has also expressed concerns that criminal offence data may be less protected in the US because it does not provide protections equivalent to those set out in the UK's Rehabilitation of Offenders Act 1974 (i.e. criminal convictions “spent” following the relevant rehabilitation period). The ICO observes that it is not clear how these protections would apply to information that has been transferred to the US.
The Data Bridge does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would result in legal or similarly significant effects on the data subject. In particular, the Data Bridge does not include a right to have an automated decision reviewed by a human.
In addition, the Data Bridge does not include a substantially similar "right to be forgotten" or to withdraw consent. While the Data Bridge gives individuals some control over their personal data, it is not as extensive as the rights they enjoy in the UK.
What happens if the US Business has not certified or is unable to?
If you cannot rely on the Data Bridge to transfer personal data to the US, your organisation will have to revert to one of the pre-existing appropriate safeguards (e.g., the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) or rely on one of the available derogations under Article 49 of the UK GDPR for international data transfers. You may also need to carry out a transfer risk assessment to validate your transfers.
Will #3 follow #s 1 & 2?
Given the benefits to businesses that these arrangements secure, the ICO's critique of the Data Bridge is not insignificant.
The foundation of the Data Bridge is the DPF. A French MEP Philippe Latombe is bringing a private legal action seeking the immediate annulment of the EU’s adequacy decision and by definition the DPF on the grounds that inter alia the DPF violates the Charter of Fundamental Rights. Dr Schrems / NOYB who successfully challenged the Safe Harbor and Privacy Shield has announced that the DPF is no better than what went before.
