The ability for UK and EU organisations to safely and lawfully share data with US organisations is key for fostering trade and helping economies. Therefore, it has been a key priority for the EU and the UK to facilitate trade and the transfer of personal data to the US. On 10th July 2023, the European Commission announced its adequacy decision on the EU-US Data Privacy Framework (DPF). This meant that any data transfers between the European Union and the United States (US) from any public or private entity in the EEA to certified US companies were covered under the approved EU-US Framework with immediate effect. Recently, the UK Government announced it will follow the EU’s decision and confirmed that the ‘UK-US Data Bridge’ will come into effect from 12th October 2023. This would introduce another mechanism for the lawful transfer of personal data between the UK and the US.
The US is the home of many companies which specialise in technology, data storage, and data processing. Well known examples include Meta, X (formerly Twitter), Google and Microsoft. These companies are also known as ‘Big Tech’ and they are responsible for facilitating large volumes of data transfers to and from the US.
The desire to develop mechanisms that facilitate data transfers between the UK and the US in line with data protection legislation has been the focus of significant work for many years. Originally the International Safe Harbor Privacy Principles were developed to protect personal data however in 2015, Austrian activist and lawyer, Max Schrems brought a case against the Irish Data Protection Commissioner (DPC) arguing that the use of the US-EU Safe Harbor Framework was illegal. Following the revelations from the 2013 Snowden case, Schrems was concerned that US intelligence agencies could access his personal data in violation of his EU data protection rights. This led to the Schrems I ruling where on 6th October 2015, the European Court of Justice declared that the Safe Harbor Framework, which had been in place since 26th July 2000, was invalid.
In response to the Schrems I ruling, the EU-US Privacy Shield was developed in 2016. However, the legality of the Privacy Shield only lasted four years. Schrems made another complaint to the Irish DPC focussed on Facebook’s use of Standard Contractual Clauses (SCCs) to transfer personal data. SCCs had become the primary accepted mechanism for sharing the personal data of European citizens with third countries outside of the European Economic Area (EEA) so the legal challenge raised questions about their effectiveness. This case made its way to the Court of Justice of the European Union (CJEU) and Schrem’s complaint (11 questions) also queried if the Privacy Shield was a suitable mechanism for protecting EU personal data from US government agencies. On 16th July 2020, CJEU ruled in favour of Schrems declaring the Privacy Shield unlawful in what is now known as the Schrems II Judgement.
Following the Schrems II Judgement, companies that were previously relying on the EU-US Privacy Shield needed to identify an alternative legal mechanism for transferring personal data to the US. In their judgement, the CJEU upheld the use of SCCs but raised doubt over the effectiveness of their use. This caused significant confusion and problems for companies as the rules relating to US data transfers had become even more complex and confusing than before. The Schrems II case therefore had the potential to severely impact trade with the US for organisations based in the EU and UK.
Just over three years after the Schrems II Judgement, the EU-US Data Privacy Framework (EU-US DPF) was announced. This is a bespoke, opt-in certification scheme for US companies, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC). The EU-US DPF covers the transfers of personal data from any public or private entity in the European Economic Area (EEA) to self-certified companies in the United States (US). Once a US organisation has self-certified through the US DoC, they are required to adhere to the privacy principles within the EU-US DPF.
The principles of the new framework provide assurance to EU data subjects that when their personal data is transferred to the US under the EU-US DPF, it will receive the same level of protection as stipulated by EU data protection legislation. The EU-US DPF builds on the previous frameworks (Safe Harbor and the EU-US Privacy Shield) and still retains the self-certification mechanism. As part of the EU-US DPF, national surveillance agencies are held to stricter standards when it comes to the personal data they can access and how they can access it, as well as providing a clearer definition of what is regarded as “necessary and proportionate”. Furthermore, data subjects will have access to an individual redress mechanism in cases of non-compliance.
Although the UK’s departure from the EU resulted in a UK-specific data protection regime, the UK Data Protection Act and UK GDPR, currently remain in line with the EU GDPR. Despite this, the UK government has defined the term ‘data bridge’ as their preferred terminology for ‘adequacy’ (which is the term used by the EU to describe a country outside the EU that offers an adequate level of data protection). They describe a data bridge as the ability to transfer (flow) personal data from the UK to another country without the need for further safeguards.
Following the introduction of the EU-US DPF, the UK Government announced that it had established a data bridge with the US through a UK Extension to the EU-US DPF. From 12th October 2023, UK businesses and organisations will also be able to transfer data to organisations in the US that comply with the requirements of the EU-US DPF. In response, the US Attorney General announced the UK as a ‘qualifying state’. This extends the newly established redress mechanism which deals with potentially unlawful access to personal data by US authorities under the guise of national security to all UK data subjects whose personal data has been transferred to the US.
The UK-US Data Bridge is not the first data-sharing agreement the UK has signed post-Brexit, and it will not be the last. The first data-sharing agreement was the South Korea Adequacy Decision in July 2022.
The EU-US DPF and the UK Extension simplify the process of transferring personal data to the US. Previously organisations were required to undertake a Transfer Risk Assessment (TRA) and implement SCCs and/or an International Data Transfer Agreement (IDTA) which was often a lengthy, complex and costly process. Instead, organisations based in the EEA can now rely on the EU-US DPF, and UK organisations can rely on the UK-US Data Bridge to facilitate transfers of data between them and the US. All that is required is for the US organisation to abide by the principles and self-certify with the US Department of Commerce.
If an organisation uses the UK-US data bridge to transfer personal data, they must ensure that high standards of data protection are maintained when data is transferred from the UK to certified US organisations. It’s important to note that the data bridge does not remove the obligations of UK companies under UK data protection legislation to ensure that data, and in particular, special category data is appropriately protected and that data subject rights are upheld. Appropriate technical and organisational measures must therefore still be implemented and maintained to adequately protect personal data. Cyber Essentials, Cyber Essentials Plus and ISO27001 are all established information security frameworks with associated certifications that organisations can implement and adhere to to support the use of appropriate technical and organisational measures.
As with previous mechanisms to facilitate the transfers of personal data to the US, there is the likelihood that Schrems (or others) may object to the use of both the EU-US DPF and the UK-US Data Bridge. The UK Government is however confident that the bridge will be an appropriate and reliable safeguard that has addressed the concerns raised by the 2020 Schrems II Judgement.
It remains to be seen if either the UK-US Data Bridge or the EU-US DPF will stand the test of time. There is an ongoing debate that the EU-US DPF and the UK Extension, do not provide adequate protection to data subject’s personal data. In particular, there are still concerns about the effectiveness of the limitations placed on US national security organisations and whether these are sufficient to protect data subject’s rights under UK and EU data protection legislation.
Only time will tell if Schrems, through his organisation ‘noyb,’ will file further legal action(s) to challenge the validity of either the EU-US DPF or the UK-US Data Bridge. For now, however, organisations once again have some clarity and simplicity when it comes to data sharing with the US.