Following the recent agreement in principle between the UK and US to establish a data bridge, and the adoption of the adequacy decision for the EU-US Data Privacy Framework (DPF) by the EU Commision, we take a look at what this could mean for your business and data transfers.
What is the Anticipated UK-US Data Bridge?
In principle, the UK and US have agreed to establish a UK-US adequacy decision. This is commonly referred to as the ‘data bridge’, which would allow for the free flow of data between organisations in the United Kingdom and participating organisations in the United States.
Its intention is to include the UK as an extension to the EU-US Data Privacy Framework (DPF). The EU Commission adopted its adequacy decision for the DPF on 10th July, but the implementation of the UK-US data bridge still requires an official decision from the UK Secretary of State and the US, designating the UK as a “qualifying region” under Executive Order 14086.
How may the ‘Data Bridge’ Affect your Organisation?
The anticipated UK-US Data Bridge has the potential to significantly affect your organisation’s data transfers. If the data bridge is approved, it would mean that the US becomes an adequate country under UK GDPR, allowing businesses to transfer data to the US without the need for additional safeguards or risk assessments.
This would greatly reduce the burden of data transfers, and come as a relief for many companies, technology companies in particular, who may currently transfer large volumes of data to the US.
In 2021, 93% of the UK’s services exports were data-enabled, and the UK exported more than £79 billion of these services (about 30%) to the US.
Concerns and Criticisms Surrounding these Agreements
It is anticipated that the UK-US data bridge will be approved in October 2023, though there are ongoing challenges to the foundation upon which it is based.
The EU-US Data Privacy Framework (DPF), on which the data bridge is intended to be an extension, has already faced scrutiny from the European Data Protection Board (EDPB) and the EU Parliament. Critics argue that the DPF may not provide sufficient protection for personal data and fails to address the issues raised by the Court of Justice of the European Union (CJEU) in its previous invalidation of the EU-US Privacy Shield.
Prominent privacy advocate Max Schrems has publicly stated that he intends to challenge the EU Commission’s decision to back the DPF, further casting doubt on its effectiveness. If the CJEU finds the EU’s decision with the US lacking again, it could potentially jeopardize the UK’s data transfer agreement with the EU.
In light of these concerns, organisations that are subject to both EU and UK GDPR should be particularly vigilant about the data they transfer. It is crucial to keep clear and correct records of data transfers to ensure compliance with both sets of regulations. Any discrepancies or failures to meet the necessary standards could naturally have serious consequences for businesses.
Next Steps and Future Developments
While the UK-US data bridge offers the potential for more streamlined data transfers, it is important to navigate these agreements with caution and stay informed of any future developments. By remaining proactive and up-to-date on regulatory changes, organisations can protect themselves and their data from potential risk.
It is also important to bear in mind that this agreement is not in place yet, so businesses must still have adequate transfer safeguards in place under UK GDPR.
If you need support with any of the topics discussed here, please don’t hesitate to get in touch with one of our data privacy experts today.