UK-US Data Bridge starts on 12 October but with reservations and limited scope
The UK-US Data Bridge was announced by the UK’s Department for Science, Innovation and Technology (DSIT) on 21 September and is due to enter into force on 12 October. If companies meet certain conditions, they will be able to transfer personal data to the US without using legal safeguards, such as Binding Corporate Rules (BCRs) and Standard Contractual Clauses (SCCs). This UK-US instrument follows the recently adopted EU-US version.
Behind this headline news, lies 16 explanatory documents from DSIT, the ICO and several from the US, including the Federal Trade Commission (FTC), the International Trade Administration, the Director of National Intelligence and the Department of Transportation.
UK-based companies planning to send personal data to the US using this Data Privacy Framework (DPF) must check whether the recipient companies have self-certified to conform with privacy principles enforced by the FTC and Department of Transportation (DoT), and administered by the Department of Commerce (DoC). “The Data Privacy Framework includes a set of enforceable principles and requirements that must be certified to, and complied with, in order for organisations to be able to join the DPF. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data.”
Exceptions and reservations
US organisations not subject to the jurisdiction of either the FTC or DoT — for example, banking, insurance, and telecommunications companies – are not included in the scheme.
DSIT acknowledges that the DPF does not mirror exactly the definition of special category data in Article 9(1) UK GDPR, as it does not include genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning sexual orientation.
If an organisation cannot rely on the DPF, then it should continue to use existing provisions, such as BCRs and SCCs. Companies may also need to carry out a transfer risk assessment to validate their transfers.
The ICO was consulted on the Data Privacy Framework and expressed reservations about the scheme stating "there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied". They include:
- “The definition of ‘sensitive information’ under the UK Extension does not specify all the categories listed in Article 9 of the UK GDPR.…there is no current requirement for UK organisations to identify information as sensitive. This creates a risk that the protections may not be applied in practice.”
- “For criminal offence data, there may be some risks even where this is identified as sensitive because, as far as we are aware, there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974.”
- “The UK Extension does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual. In particular, the UK Extension does not provide for the right to obtain a review of an automated decision by a human.”
- “The UK Extension contains neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent.”
The ICO also highlighted specific areas which the Secretary of State should monitor before a formal review in four years time.