Third time lucky for transatlantic data transfers or a bridge to nowhere?

First there was Safe Harbor and that was unsafe. Then there was Privacy Shield, which didn’t prove the defense that was claimed for it. Now, today, the UK US Data Bridge comes into force and US firms can transfer UK personal data. 

The Bridge is actually a UK extension to the EU-US Data Privacy Framework (DPF). The UK Government decided that this does not undermine the level of data protection for UK data subjects when their data is transferred to the US, while the US Attorney General designated the UK as a ‘qualifying state’ to use a newly-established redress mechanism if British citizens believe their personal data has been unlawfully accessed by American security authorities. 

So, what is a data bridge? The UK Department for Science, Innovation and Technology explains it in the following terms: 

The term ‘data bridge’ is our preferred public terminology for ‘adequacy’, and describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards. It symbolises the connection between destinations that is established by these decisions and encapsulates the UK’s collaborative approach with our international partners.

Data bridges are not reciprocal, therefore they do not allow the free flow of data from other countries to the UK. Instead, a data bridge ensures that the level of protection for UK individuals’ personal data under UK GDPR is maintained.

A data bridge assessment takes into account, amongst other things, the protection the country provides for personal data, the rule of law, respect for human rights and fundamental freedoms, and the existence and effective functioning of a regulator.

Data bridges secure the free and safe exchange of personal data across borders, from the UK to another country. They unlock growth for businesses, allow us to share crucial information for life-saving research, and encourage science and innovation across borders. Reducing barriers to data sharing also makes things better for consumers, opening up opportunities for higher-quality services and lower prices on things they pay for.

Any US importer of data must self-certify to the DPF and the Data Bridge. For UK exporters of data that currently rely on European Union Standard Contractual Clauses (SCC) can no longer use these, unless they are already tied into contracts that are based on them, in which case the SCCs can still be used until March next year. 

Will it work? 

The UK data regulator the Information Commissioner’s Office has warned there are still potential risks involved with the Data Bridge arrangement: 

• The definition of ‘sensitive information’ under the UK Extension does not specify all the categories listed in Article 9 of the UK GDPR. Instead, the UK Extension includes a catch-all provision specifying, “...any other information received from a third party that is identified and treated by that party as sensitive.” Accordingly, UK organisations will need to identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US certified organisation so it will be treated as sensitive information under the UK Extension. However, there is no current requirement for UK organisations to identify information as sensitive. This creates a risk that the protections may not be applied in practice. 
• For criminal offence data, there may be some risks even where this is identified as sensitive because, as far as we are aware, there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974. This Act places limits on the use of data relating to criminal convictions when those convictions have become ‘spent’ following the relevant rehabilitation period, including the ability to request that this data is deleted. It is not clear how these protections would apply once the information has been transferred to the USA.
• The UK Extension does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual. In particular, the UK Extension does not provide for the right to obtain a review of an automated decision by a human.
• The UK Extension contains neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent. While the UK Extension gives individuals some control over their personal data, this is not as extensive as the control they have in relation to their personal data when it is in the UK.

So will it be third time lucky for transatlantic data transfers? UK law firm Birketts reckons: 

Although the Bridge is not free from criticism and potential legal challenges, UK businesses should benefit from more efficient data flows across the Atlantic once the Bridge is introduced.

UK businesses should consider reviewing their privacy policies and data processing activities to reflect their reliance on the Bridge. In addition, it is important to ensure that the US recipient is DPF certified, and that any sensitive data being transferred is correctly identified.

Owing to the issues highlighted by the ICO, and to ensure that the differences in UK and US law do not reduce protections for data subjects, UK businesses should also consider putting in place further contract terms with US entities to enforce data subjects’ right to be forgotten, right to withdraw consent and rights surrounding automated processing.   

My take

It’s a start. Three's a charm, right? It’ll end up being challenged in the usual courts, of course. Fingers crossed it’s more robust than its two predecessors.