60 Cannon Street,
London, EC4N 6NP
Tel: +44 (0) 20 7710 0020
James Curry, Associate at London-based law firm Rosling King, considers whether the UK Extension to the EU-US Data Privacy Framework goes far enough.
Since 12 October 2023, businesses in the UK have been able to transfer personal data to US organisations certified to the UK Extension to the EU-US Data Privacy Framework (DPF) under Art 45 of the UK General Data Protection Regulation (GDPR), without the need for further safeguards such as those contained in the GDPR.
This follows the decision by Parliament to establish a UK-US data bridge, through the UK Extension, and lay adequacy regulations in Parliament to better facilitate the transfer of personal data from the UK to the US.
What is the DPF?
The DPF is a package of measures designed to govern how personal data is protected when transferred from the UK to the US. It replaced the EU-US Privacy Shield framework that was established in 2016, allowing personal data to be transferred freely from the UK to US companies through an EU adequacy decision.
The framework is a bespoke, opt-in certification scheme. It is made up of enforceable principles and requirements which must be certified, and complied with, in order for organisations to be able to join the DPF. For example, those enforceable principles take the form of commitments to data protection and govern how organisations use, collect and disclose personal data.
The DPF is enforced by both the US Federal Trade Commission (FTC) and US Department of Transportation (DoT), and is administered by the Department of Commerce, meaning any commitment under the UK-US data bridge becomes enforceable under US law.
Who can be a participant to the DPF?
The establishment of the DPF does not simply permit organisations within the UK to transfer personal data to any data importer/ recipient in the US. It follows that only those organisations that are certified to the UK Extension, and which appear on the DPF list, can transfer data freely.
Only US organisations subject to the jurisdiction of the US FTC or the US DoT may participate in the DPF programme. This means organisations not subject to the jurisdiction of either—for example, banking and insurance companies—are not eligible to participate in the DPF programme.
Those interested in checking what US organisations are already certified under the DPF list can review the data privacy framework website. Already, it includes the likes of Adobe Inc, Google LLC, Microsoft Corporation and Tiffany & Co.
How does the UK-US Data Bridge change the transfer of data?
The framework may be beneficial to UK organisations as they no longer need to ensure additional safeguards are in place, which can be time-consuming, costly and/or complex, depending on the personal data being transferred.
For example, some of the additional safeguards that previously needed to be satisfied under Arts 46 and 49 of the GDPR included the following:
· a legally binding and enforceable instrument between public authorities or bodies;
· contractual clauses, ie, between the controller or processor; and
· the satisfaction of various conditions, ie, whether the transfer is necessary for important reasons of public interest or for the establishment, exercise or defence of legal claims.
Possible risks under the DPF
Journalistic data (i.e, personal information gathered for publication, broadcast or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives) is not subject to the requirements of the DPF. This means journalistic data cannot be transferred under the UK-US data bridge.
Although special category and sensitive data (for example, genetic data, biometric data for the purpose of uniquely identifying an individual, and/or data concerning sexual orientation) can be shared with US organisations under the DPF, the UK-sharing organisation must correctly identify the data as such when sharing it. This is to make sure it receives the appropriate protections under the framework.
Conclusion
Understandably, there may be concerns about the standard of data protection under the DPF. However, the Secretary of State has determined that the UK Extension to the DPF does not undermine the level of data protection for UK organisations, as the DPF maintains high standards of privacy for personal data being transferred to the US. With that in mind, the safe exchange of personal data across borders has the potential to strengthen capital growth for businesses and break down potentially restrictive barriers to the sharing of data.
The framework is in its infant stages of life. It will no doubt evolve to ensure that it functions as intended—to protect personal data being transferred to the US. Therefore, it will be important for UK organisations (and legal practitioners) to observe commentary and/or case law in this area to see what the true impact of the DPF will be on the sharing of data for UK organisations.
James’ article was published in the New Law Journal, January 2024 issue.
