Romain Deslorieux | Director, Strategic Partnerships | Thales
Modern-day business transactions heavily rely on international data transfers. In 2021, 93% of the UK's services exports were data-enabled, resulting in over £79 billion worth of services exported to the US. However, despite this strong relationship, the UK GDPR’s requirements somewhat hinder current arrangements.
UK and US government officials have agreed in principle to establish a new legal framework for facilitating personal data transfers from the UK to the US. The new “data bridge” would extend the EU-US Data Privacy Framework. The UK government said in a press release that the framework would “make it easier for around 55,000 UK businesses to transfer data freely to certified US organizations without cumbersome red tape.”
How do Businesses Comply with GDPR?
The EU GDPR and its UK counterpart have regulations regarding transferring personal data outside the European Economic Area (EEA). These regulations aim to maintain the same level of protection for personal data exported to other jurisdictions as provided under the GDPR. Businesses have various mechanisms to ensure that EU or UK data protection standards are upheld when exporting personal data.
The legal tools/mechanisms to transfer personal data are split in two main categories.
Countries benefiting from an adequacy decision
When the third country has adequate level of data protection, an adequacy decision may be taken by the policymaker (European Commission for the EU, UK Government for the UK). In the case of an adequacy decision, data transfer shall not require any specific authorisation.
Countries without adequacy decision
In absence of adequacy decision, organizations shall not transfer data unless appropriate safeguards are taken. Different safeguards are authorized including binding corporate rules or data protection clauses adopted by a supervisory authority (e.g. EDPB).
In July 2023, the European Commission has confirmed an adequacy decision for the transfer of data to US commercial organisations under the EU-US Data Privacy Framework. The framework was developed after its predecessor, the EU-US Privacy Shield, was invalidated by the Schrems II ruling.
In June 2023, the UK and US have announced their intention to finalise a “data bridge for UK-US data flows” in 2023. When finalized, the data Bridge would constitute a UK-issued adequacy decision for the US.
Why Build a Data Bridge?
As explained above, having an adequacy decision between two countries is the simplest way to handle data transfers, as it makes data transfer lawful by default. “A data bridge would avoid the need for businesses to utilize costly and inefficient alternative transfer mechanisms, such as individual contractual clauses when transferring personal data,” said the UK government, which intends to consult the Information Commissioner’s Office (ICO), the UK’s data protection authority, on the UK-US data bridge.
Being able to process data efficiently creates value. The "data bridge," once established, will encourage research and innovation between trans-Atlantic partners. The framework ensures organizations looking to collaborate and share data, allowing for the sharing of crucial information to enhance scientific research and encourage innovation across borders. Strengthening the digital rights of UK individuals, ensuring reliable data flows, and reducing burdens on businesses are the main priorities of the UK-US agreement.
Multinational law enforcement is a key issue as different national legal systems may differ. To that effect, and to avoid possible conflicts between the UK and the EU, the UK-US Data Bridge is based on the US-EU Data Privacy Framework. “An agreement with a broader scope than the EU-US agreement could potentially have threatened the UK’s EU adequacy status. A UK extension to the Data Privacy Framework is the most streamlined approach to take, it is likely to be the smoothest approach for reaching political agreement. It is also the least likely to cause issues for the UK’s own EU adequacy status, as the UK approach will presumably align with the EU’s,” commented data protection law expert Rosie Nance of Pinsent Masons.
What now?
The US-EU Data Privacy Framework and UK-US Data Bridge are great progress towards a better protection of personal data for millions of citizens.
However, different opinions emerge that put in question the adequacy decision given to the US by the European Commission. In particular:
- In May 2023, the European Parliament adopted a text concluding that “the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection”
- In February 2023, the European Data Protection Board issued a statement expressing “concerns and requests clarifications on several points including certain rights of data subjects, bulk collection of data”
- In July 2023, NOYB (the privacy activist organisation from Max Schrems) issued a detailed statement about the legal action they will take to denounce the adequacy decision
This creates serious grounds for the invalidation of the adequacy decision by the Court of Justice of the European Union that a “Schrems-III” ruling would bring.
Organisations are also facing growing number of regulations beyond personal data (e.g. DORA, NIS, AI etc).
In such time of uncertainty and growing regulatory pressure, organisations must undertake a robust due diligence before transferring personal data anywhere outside their jurisdiction (EEA, UK) – and not just to the US! – and take remediation steps based on specific technical and organizational measures to protect data, regardless of the legal framework used to transfer the data.
Learn how Thales can help your business meet the regulatory requirements of tomorrow today.