October 12, 2023
The eagle-eyed amongst you may have already spotted that on 21 September 2023 the UK Government announced a UK Extension to the existing EU-US Data Privacy Framework (Data Bridge)
Subject (of course) to some exceptions, from 12 October 2023 UK businesses can begin transferring personal data to US organisations which sign up to the Data Bridge without needing to rely (as they currently do (or certainly should do!)) on appropriate safeguards under the UK GDPR or a relevant derogation, e.g. explicit consent.
The Data Bridge is a bespoke, opt-in certification scheme for US organisations, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).
To be certified, a US organisation must comply with a set of enforceable Principles in respect of personal data, so that UK data subjects whose personal data are transferred through the Bridge receive an essentially equivalent level of protection to that under the UK GDPR. If and when certified and listed on the official Data Bridge list, a US organisation can then opt-in receiving personal data from the UK business.
Unfortunately, not all of them. Currently, only US organisations subject to the jurisdiction of the FTC or DoT are eligible to participate.
Those which fall outside of that jurisdiction, for example banking, insurance and telecommunications companies cannot currently participate. Note, as a UK business this doesn’t mean that you have to stop transferring personal data to these types of US organisations, you just can’t use the Data Bridge to do so.
‘Journalistic data’ which is ‘personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives’ cannot be transferred using the Data Bridge.
This type of personal data can be transferred using the Data Bridge but UK businesses need to be careful.
Interestingly (and don’t ask why!) the relevant Principle doesn’t exactly align with the definition of ‘special category’ personal data contained in the UK GDPR. Specifically, the Principle doesn’t include reference to genetic data (e.g. DNA sequences), biometric data for the purpose of identifying a natural person (e.g. finger prints) and data concerning sexual orientation. The Principle does, however require certified US organisations to treat as sensitive any information received which has been identified and previously treated as sensitive by the sending UK business.
Therefore, UK businesses which intend to transfer genetic, biometric or sexual orientation personal data through the Data Bridge must appropriately identify that personal data to ensure the receiving US organisation is obliged to protect under the Data Bridge to ensure it receives appropriate protection.
Where criminal offence data (e.g. convictions, unproven allegations) are to be transferred through the Data Bridge as part of an HR relationship, the relevant certified US organisation must prior to receiving that data indicate that they’re seeking to receive it under the Data Bridge.
Where criminal offence data is being transferred outside of an HR relationship, the UK business must appropriately identify it to the receiving US organisation as sensitive alike with ‘special category personal data’ as described above.
As mentioned above, if you rely on the Data Bridge to transfer personal data to the US then you don’t need to rely on appropriate safeguards under the UK GDPR (or a relevant derogation). However, in your relevant contract with the US organisation you’d still need a part (e.g. an addendum) which covers off the requirements for controller – processor contracts under the UK GDPR.
Nevertheless, we’d suggest you watch this space for now and rely on the existing appropriate safeguards or a relevant derogation, which the Data Bridge doesn’t replace or invalidate. If and when the time is right, it’d then be a case of evaluating the extent of your businesses personal data flows to the US and taking the necessary steps to participate in the Data Bridge. This will include reviewing your privacy policy(ies) to ensure that they make clear that your business transfers any relevant personal data collected to the US. Additionally, you’ll need to know if the relevant US organisation is willing to sign up in the first place (at the time of writing, just over 2,500 US organisation (including Meta) have done so).
However, seasoned veterans will be aware that the transfer of personal data to the US has been a sticky subject ever since invalidation of the old EU-US Privacy Shield through the CJEU’s ‘Schrems II’ decision.
Attempts have already been made to declare the EU-US Data Privacy Framework invalid, so it remains to be seen whether the Data Bridge will be challenged and if indeed it does turn out to be a bridge too far.
For help with the new Data Bridge or anything else data protection related, contact us now for a free, no obligation discovery call.