Out-Law News 1 min. read
09 Jun 2023, 2:32 pm
UK and US government officials have reached an agreement in principle over the establishment of a new legal framework for facilitating the transfer of personal data from the UK to the US.
The new “data bridge” would be an extension of the EU-US Data Privacy Framework, dubbed ‘Privacy Shield 2.0’. The government said it would “make it easier for around 55,000 UK businesses to transfer data freely to certified US organisations without cumbersome red tape” and deliver annual savings to business of around £92.4 million
Both the EU General Data Protection Regulation (GDPR) and its UK equivalent impose restrictions on the transfer of personal data internationally, outside of the European Economic Area (EEA). The strict conditions under which data transfers are permitted are designed to ensure that personal data that benefits from the protections under the GDPR continues to benefit from an equivalent standard of protection in the jurisdictions to which the data is exported.
There are different mechanisms provided for under the GDPR that businesses can rely on for ensuring EU, or UK, data protection standards continue to apply to personal data when exported. Adequacy decisions are one such mechanism. These are designations made by policymakers that enable the free flow of personal data to the designated jurisdictions.
The European Commission has signalled its intention to adopt an adequacy decision in respect of the EU-US Data Privacy Framework. That framework has been developed after its predecessor, the EU-US Privacy Shield, was invalidated by a ruling of the EU’s highest court. The UK-US data bridge, when finalised, would constitute a UK-issued adequacy decision.
“A data bridge would avoid the need for businesses to utilise costly and inefficient alternative transfer mechanisms, such as individual contractual clauses, when transferring personal data,” said the UK government, which intends to consult the Information Commissioner’s Office (ICO), the UK’s data protection authority, on the UK-US data bridge.
Data protection law expert Rosie Nance of Pinsent Masons said: “This announcement provides more certainty on what the framework for data flows between the US and the UK will look like. We now have confirmation that there will be a UK extension to the Data Privacy Framework between the US and EU, similar to the Swiss-US Privacy Shield under the previous framework.”
The UK and US had announced “significant progress towards a data adequacy agreement” when president Joe Biden signed an Executive Order in relation to the framework in October 2022. Nance said, however, that there was no confirmation at that stage on what form the adequacy agreement could take.
Nance said: “An agreement with broader scope that the EU-US agreement could potentially have threatened the UK’s EU adequacy status. A UK extension to the Data Privacy Framework is the most streamlined approach to take, it is likely to be the smoothest approach for reaching political agreement. It is also the least likely to cause issues for the UK’s own EU adequacy status, as the UK approach will presumably align with the EU’s.”
The announcement of the new UK-US data bridge forms part of a broader ‘Atlantic Declaration’ agreed by US president Joe Biden and UK prime minister Rishi Sunak, which includes a commitment to step up international efforts to ensure the safe and responsible development of artificial intelligence (AI) systems.