Right on (the widely speculated) schedule, the UK Government laid the Data Protection (Adequacy) (United States of America) Regulations 2023 (the Regulations) before Parliament on 21 September 2023.
These Regulations bring into force on 12 October 2023 the UK Extension to the EU-US Data Privacy Framework (DPF) (for more on the EU-US DPF see our previous article here) and mean that from that date for transfers ex-UK to (eligible) US organisations who are signed up to the UK Extension to the DPF - and are on the DPF list - data can flow freely without the need for a transfer mechanism or further safeguards.
The Regulations are the final step in a long process which involved bi-lateral negotiations between the UK and US, albeit between parties who announced back in January 2023 they were committed to finalising and implementing a data bridge for UK/US data flows in 2023. Alongside the Regulations themselves, the Government has published supporting documents, including “an explainer”, a factsheet for UK organisations, the ICO’s Opinion on this decision, the Government’s analysis of the UK Extension to the EU-US DPF, a paper supporting the designations of the UK as a qualifying state in the US and various letters from the US departments involved in the DPF.
It is important to remember that only eligible organisations in the US can sign up to the UK Extension to the DPF, i.e. those that are subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) and the Department of Transportation (DoT). This means currently that banking, insurance, telecoms and certain manufacturing companies are not eligible, so for transfers to these organisations other transfer mechanisms such as Standard Contractual Clauses are still relevant.
Some of our clients will also be interested in the fact that journalistic data, as defined in Supplemental Principle 2(b) of the EU-US DPF, is not subject to the requirements of the DPF and therefore such data cannot be transferred under the DPF or the UK Extension to the DPF.
Will this (and or the EU-US) framework be challenged?
Already some are wondering whether, or rather when, this new framework will be challenged. Will it be third time lucky for transatlantic data flows? Will there be a Schrems III? Well Max Schrems and noyb have already declared the DPF is “largely a copy of the failed Privacy Shield” that doesn’t go far enough to address the Schrems II “fundamental” surveillance issues and “expect this to be back at the Court of Justice by the beginning of next year”. However, on 6 September 2023, it was French MP and CNIL Commissioner, Philippe Latombe, who lodged a request for the annulment of the EU-US DPF at the Court of Justice for the European Union (CJEU), making clear he was doing so in a personal capacity and not as a politician or member of a DPA. There are also reports of privacy activists in other continental European countries gearing up to launch their own challenge.
However so far there is no similar comment in the UK – and indeed it will be an interesting turn of events if at some point the EU-US DPF is taken out of play by a challenge, but the UK-US version remains. Will the UK then come under pressure (at a time when its own adequacy decision is being reviewed) to tow the line on UK-US transfers?
For those looking for grounds to challenge the EU adequacy decision or the UK-US data bridge, the ICO's Opinion may prove fruitful. While the ICO determines it is “reasonable” for the UK Government to conclude there is an adequate level of protection there are four areas identified that “could pose some risks to UK data subjects if the protections identified are not properly applied.”
The areas in question are:
- Special category data
The issue arises as the definition of special category data in Article 9(1) of the UK GDPR is not an exact match for the Choice principle (see 2(c)) in the DPF as it does not include “genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning sexual orientation”. The workaround is that if any information received is identified and treated as sensitive by third parties sharing the information then organisations under the DPF are also required to treat such information as sensitive. Practically this means if you are transferring special category and/or sensitive data under the UK Extension to the DPF you must correctly identify the information as such when it is being shared, paying particular attention to genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning sexual orientation.
The ICO’s Opinion refers to a proposal for the Department for Science, Innovation and Technology (DSIT) to publish guidance for UK organisations to ensure special category data is identified as sensitive and treated as such, which they welcome. In the meantime, information is available in the factsheet for UK organisations.
- Criminal offence data
If the criminal offence data is to be shared under the UK Extension to the DPF in a human resources context, then the US recipient organisation is required to “indicate that they are seeking to receive such data under the DPF”. Data that falls into this HR data category is set out in Principle 9(a)(i) of the DPF as “…personal information about its employees (past or present) collected in the context of the employment relationship [transferred] to a parent, affiliate, or unaffiliated service provider in the United States participating in the EU-U.S. DPF.”
If the criminal offence data is to be shared outside of an HR relationship then the UK organisation must inform the US recipient organisation that the data is sensitive data requiring additional protections, much like in relation to special category data as set out above.
Concerns have been raised that in either scenario, even where the criminal offence data is identified as sensitive there may still be some risk as the US does not have equivalent protections to those in the UK’s Rehabilitation of Offenders Act 1974.
- Automated processing
This is an area of contention as, as it stands, there is not a substantially similar right protecting UK individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant (Article 22 UK GDPR). Most notably there is no right to obtain a human review of an automated decision. This is an interesting area given the regulatory focus on, and to a degree public attention and interest in, AI and regulation of AI and AI’s use in the workplace.
- Right to be forgotten and unconditional right to withdraw consent
While the UK Extension to the DPF does provide some controls, these are not as extensive as the control an individual has over their personal data when it is in the UK, e.g. the DPF does not have a substantially similar right to either the right to be forgotten or the unconditional right to withdraw consent.
How this will play out will be interesting to watch, as despite these deficiencies the ICO still determined it was “reasonable” to conclude there is an adequate level of protection for the UK-US data bridge to go ahead. This may be based on the time, effort and extensive negotiations that resulted in the DPF and the desire to make it future proof to any potential challenge. The UK Extension to the DPF must be reviewed every 4 years and so close scrutiny will be applied to these potential areas of risk.
What should I do now?
All that said, most organisations will welcome the UK Extension to the DPF and there are some practical steps UK organisations can take now if they wish to rely on it, namely:
- Work out which US organisations you transfer data to that are eligible to sign up to the framework (For those who cannot sign up you will need to continue to rely on your existing transfer mechanisms and TRAs)
- Check eligible US organisations are signed up to the UK Extension and appear on the DPF list published by the US Department of Commerce
- If you are transferring special category data or criminal offence data be sure to identify it as sensitive data before transferring it
- If criminal offence data is to be shared in a human resources context, then ensure the US recipient organisation indicates that they are seeking to receive such data under the DPF
- Update your privacy policies and documentation to reflect any changes in processing activities
- Remember you can only rely on this framework from 12 October 2023 when it comes into force
And of course if you have any questions please do not hesitate to get in touch with your usual LS contact.