Bridging the Atlantic: The New UK-US Data Transfer Framework

In a rapidly evolving digital age, data privacy is paramount and organisations are regularly adapting to new regulations and frameworks. For those involved in transferring personal data between the UK and the US, a common hurdle has been the increasingly complex safeguard requirements for these arrangements. Safeguards include completion of lengthy transfer risk assessments, analysis of US laws and surveillance practices, identification of an appropriate transfer mechanism such as standard contractual clauses or the International Data Transfer Agreement and, where applicable, additional supplementary measures to protect personal data.  Effective from 12 October 2023, the ‘UK-US data bridge’  may reduce some of this burden by enabling the  transfer of personal data to US organisations certified under the UK extension to the EU-US Data Privacy Framework (the "UK Extension") without the requirement for the additional safeguards.

A New Era of US Data Transfers

Transfers under the UK Extension will be permitted as a transfer based on an adequacy decision. Many countries which the UK already exchanges data with have an adequacy decision meaning that the other country’s regime offers an ‘essentially equivalent’ level of data protection as the UK GDPR and a decision has been taken to permit the flow of personal data from the UK to that country without further safeguards . The UK is joining the same streamlined framework with the US that the European Union approved in June 2023 and its member states have been utilising since July 2023. The UK and European Union’s decision to approve this framework has come following an executive order by President Biden’s administration to permit anyone whose personal data has been transferred to the US under any transfer arrangement (not just this new framework) access to redress mechanisms if they believe their personal data has been unlawfully accessed by US authorities.

The Certification Process

The UK Extension introduces an "opt-in certification" framework, allowing US organisations to become certified under this system. Certified organisations will be listed publicly on the Data Privacy Framework ("DPF") website and will renew the certification annually. They will need to provide details of certain personal data and special category data which they are seeking certification to handle following a transfer and be required to publish a DPF-compliant privacy statement. This transparency ensures that UK businesses can identify compliant partners for data transfers however UK organisations should be aware that they will still be expected to conduct diligence in this regard.

Key Considerations for Your Organisation

If your organisation transfers or plans to transfer data to the US, here are some essential points to consider:

1. Update Contracts and Policies: From 12th October 2023, it will be necessary to review and update (as applicable) contracts, privacy policies, and other relevant documents to reflect  changes brought about by the UK Extension to the extent they impact your organisation. Seek support from your DPO with this exercise.  
2. Eligibility of US Organisations: Remember, not all US organisations can utilise the UK Extension.  Currently, only US organisations that fall under the regulation of the Federal Trade Commission or the Department of Transportation in the US are eligible to participate.  
3. Special Category Data: While the DPF aligns with many aspects of UK GDPR, it does not cover all special category data as defined under Article 4 of UK GDPR. The regime is broad enough so that if a UK organisation categorises data as special category data, it should be treated this way under the DPF. However, UK organisations should proceed carefully as the onus is placed on the UK exporting organisation to ensure the correct categorisation of data.
4. Criminal Offence Data: When sharing criminal offence data as part of an HR data relationship (or for another reason) UK organisations must specify the reason for the transfer to the US recipient organisation which in turn must indicate its intention to receive such data under the DPF. This should be reflected in the certification on the DPF website.
5. Due Diligence: Before transferring personal data to the US, UK companies must check the DPF list to ensure that the US organisation is listed, has signed up to the UK Extension, covers special category and criminal offence data (if applicable) and review the privacy policy provided by the organisation on the DPF list. Organisations would be expected to undertake additional supplier due diligence to ensure that the processing is secure and compliant.
6. Exclusions: "Journalistic data" cannot be transferred under the UK Extension. This includes personal information gathered for publication, broadcast, or journalistic purposes.
7. Data Subject Rights: The DPF lacks provisions in relation to rights relating to automated processing, the right to be forgotten and the right to withdraw consent. This is problematic as UK individuals will reasonably expect to be able to exercise these legal rights. It is advised that UK organisations ensure they can meet their obligations to comply with these data subject rights before sharing data with an US recipient.
8. Fallback Options: The UK Extension is not a silver bullet. There will be cases where the UK Extension cannot be relied upon and organisations, businesses should be prepared to comply with Article 46 and 49 of UK GDPR, including implementing standard contractual clauses, international data transfer agreements and conducting transfer assessments when necessary.

As the world of data privacy continues to evolve, staying informed and adapting to new frameworks is essential. The UK Extension offers opportunities for streamlined data transfers, but also some challenges and vigilance and preparation are key to ensuring data remains protected during transfer to the US. The UK has expressed intentions to collaborate with other countries, such as Brazil, Colombia and Dubai, to reach adequacy decisions and establish necessary regulations. It is anticipated that discussions about international data transfer arrangements, like the UK Extension, will continue to evolve in the months and years ahead.

While the UK -US Extension represents a significant step forward in data transfer regulation, it's essential to proceed cautiously in these early days and to recognise that it is not the panacea for all transfers of personal data across what will remain, for the time being,  a choppy pond.

Thorntons’ Data Protection Team are on hand to provide tailored advice if you are considering the international transfer of data to any jurisdiction including the US under the UK Extension. Call us on 03330 430350.