BEERG Newsletter 31 - Data Transfers: UK builds a data bridge on EU/US data framework pillars

Derek Mooney writes: On September 21 the U.K. and U.S. announced that they had finalised the provisions of a UK-U.S. Data Bridge allowing personal data flows to U.S. from October 12^th.  The U.K.’s Department for Science, Innovation and Technology also announced on Sept 21^st that “adequacy regulations have been laid in Parliament… to give effect to this decision.” It went on to say that: 

“UK businesses and organisations will be able to make use of this data bridge to safely and securely transfer personal data to certified organisations in the US, once the regulations come into force from October 12.”

This US/UK data bridge effectively allows bodies that have self-certified under the EU-U.S. Data Privacy Framework to extend this certification to cover UK data. The UK government has produced an explainer as to how the process will work. This expands on the broad principles of the proposed system as first outlined back in June. The online tech journal Techcrunch.com candidly described the initiative as: 

“…piggyback[ing] on a transatlantic data transfer deal between the European Union and the U.S. by bolting on an extension that is dubbed the “U.K.-U.S. data bridge.”

The UK end of the data bridge is based on the UK’s own GDPR which replaced the EU’s GDPR post Brexit. The U.K.’s data protection authority, the Information Commissioner’s Office (ICO) has produced a broadly supportive assessment of the new data bridge, but some experts have pointed to a more cautious note in that opinion which states:

‘…while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied.'

Whatever about the potential legal challenges that will likely emerge, this move on data transfers is being viewed as the British government adopting a pragmatic approach to regulatory alignment with the EU.