US data transfers & the Data Transfers Bridge
US data transfers... are they allowed? Well.
Let’s get stuck in and I’ll explain all. In July this year, the EU Commission made an adequacy decision for the new EU-US Data Privacy Framework (DPF). This can be seen as Safe Harbor 3.0. Essentially, in most scenarios, data transfers from the EU to the US are now permitted without the need for other mechanisms such as Standard Contractual Clauses (SCCs).
Even before the Commission made this decision, activist organisations were strongly lobbying against it and warning that they would look to take the matter to the European Court of Justice (CJEU). Many, including a sizeable portion of MEPs, argue that the changes to safeguards surrounding intelligence access to data in the US have been minor and thus the privacy landscape does not afford adequate protection. However, in reality, there are material improvements in place so there is a distinct possibility that this time around, the system weathers the inevitable judicial action.
In the event that the CJEU agrees with the activists, it will be the case that a number of transfers between now and such time as that decision is reached, will effectively be unlawful. It is likely that in that scenario, a grace period will exist for existing activities while people work on implementing an alternative mechanism for bringing the processing back to the EU.
To avail of the mechanism, US businesses are required to self-certify. These means that it is not a scheme that applies by default and requires a certain amount of work both on the US side of the transfer and the EU side where this needs to be checked. You can find more info about that here.
And the UK?
After the release of a number of statements about US data transfers, the UK government finally adopted the UK-US Data Bridge in October 2023 So, what does it mean for UK transatlantic data flow?
Well, the Data Bridge is essentially an adequacy decision adopted by the UK Government. It allows UK organisations to transfer individual’s personal data without making extra efforts. It is affirmed as an extension of EU-US Data Privacy Framework where the US companies commit to specific privacy rules when dealing with personal data of the EU individuals. As a result of the Data Bridge, the same rules apply when they receive personal data of the UK individuals. So, US companies certified under this framework can easily and securely get data from the UK. But it is important to note that not all US organisations fall under the UK-US Data Bridge. Only US companies certified and within the jurisdiction of US Federal Trade Commission (FTC) and US Department of Transportation (DoT) have are covered. Companies which do not fall under this scheme can still rely on existing safeguards of standard contractual clause (SCC) and Binding Corporate Rules (BCR).
An interesting note whilst I’m here: the UK – US data bridge does not provide several rights that are in the GDPR: the right to be forgotten, the right to withdraw consent, and the right in relation to automated decision making and profiling. All of which means that it doesn’t offer similar level of protection to data subjects as granted by the UK GDPR.
To circle back to my slightly facetious intro, EU-US transfers and UK-US transfers are now easier than they were before, but it’s unknown for how long that will be true. You can still transfer data to the US, but doing so in a compliant way still requires some paperwork and sometimes consent while in some sensitive areas.
Even though organisations using the UK-US Data Bridge are exempt from the adoption of standard contractual provisions, the UK addendum, and International Data Transfer Agreements... they still need to implement additional changes to allow the transatlantic flow of data. They must make sure that the US entity receiving the data is both a current participant in the DPF list and has signed up for the UK extension to the EU-US Data Privacy Framework. And when dealing with the transfer of HR data, it's essential to ensure that the organisation's DPF commitments explicitly cover HR data.
When making international transfers, it’s important to make sure that your paperwork is in order. This will include your Records of Processing Activities (RoPA), internal data protection policy, any contracts and agreements involved, your privacy notices, and potentially few others too. And nothing in SCCs, BCRs, the UK-US Data Transfer Bridge gets you off the hook for doing your basic supplier due diligence.
Easy, right? Okay maybe not. If you have any questions, concerns, or doubts about these, check with your Data Protection Officer. If all of this sounds interesting but you’ve no idea what it all means, then I recommend you talk to an expert straight away. It might even be me you get.
Thanks to Rebecca Bada and Isha Mishra for their help in creating this article
Easy access to expert data protection advice
Bulletproof’s seasoned data protection officers are on-hand to make sure you’re working and efficiently as possible whilst meeting your data protection obligations.Get help from a DPO now
Trusted cyber security & compliance services from a certified provider
Get a quote today
If you are interested in our services, get a free, no obligation quote today by filling out the form below.