New UK-US data privacy bridge takes effect October 12
When the United Kingdom (UK) withdrew from the European Union (EU), a new regulation for personal data transfer between the UK and the United States (U.S.) was made necessary. Following a detailed and extensive analysis of relevant U.S. laws and practices when it comes to the access and use of personal data of citizens and non-citizens by U.S. agencies for the purposes of national security and law enforcement, the UK Department for Science, Innovation and Technology has deemed that these laws and practices do not undermine data protection for UK individuals and their data under UK GDRP. With this determination, a new regulation for the safe transfer of any personal data of UK individuals relevant to the UK-US Data Bridge has been set under the UK Extension to the EU-US Data Privacy Framework with a start date of October 12, 2023.
The new regulation strips UK organizations of previous due diligence responsibilities when transferring personal data to U.S. organizations, including, but not limited to, contractual clauses or binding corporate rules, and completing an assessment to consider the risks in any data transfer which considers whether protections granted individuals under the UK data protection regime would be undermined by the transfer under the laws and practices of said country, an assessment both challenging and complex for organizations when conducted with regards to another country’s surveillance laws and practices.
The UK-US Data Bridge is a new route that will allow U.K. organizations a simpler way to transfer data to the U.S. without any extensive assessments, safeguards or international data transfer agreements. All a U.S. organization has to do is self-certify to the EU-US Data Privacy Framework and then the UK Extension of the same, which may include updating the organization's privacy policies. While the self-certification to both is voluntary, as the self-certification is a public commitment, any non-compliance with the commitments and principles made under the Framework and Extension can be enforced under U.S. law.
Transfer of specific data type
Only personal data as defined under the EU-US Data Privacy Framework can be transferred from the UK. Should a U.S. organization wish to transfer personal data as it relates to an employment relationship, the organization has to do so under the EU-US Data Privacy Framework, and is required to notify the U.S. Department of Commerce that they wish to do so under their Framework certification which requires them to commit to a cooperation with any investigations and the advice of the UK Information Commissioner’s Office (ICO), the relevant data protection authority in the UK.
The transfer of any sensitive information, which is defined as “information specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual’ under the EU-U.S. Data Privacy Framework and as “biometric, genetic and sexual orientation personal data” under the UK GDPR given that the Framework is set out as an example non-exhaustive list. Should a UK organization highlight that certain information transferred is considered sensitive, the US organization must treat it as such under the EU-US Data Privacy Framework.
U.K. consumer rights following the transfer
As a result of the EU-US Data Privacy Framework which was adopted on July 10, 2023, by the European Commission and constituted the basis in law for transfers of personal data from EU to the US for commercial purposes, the US Attorney General designated the EU and qualifying states from the European Economic Area (EEA) for redress mechanism purposes established in the Executive Order 14086 (EO 14086). This allows EU/EEA individuals to submit complaints to obtain redress for alleged violations of law as it relates to U.S. intelligence activities that affect their personal data following a transfer of said data to the U.S.
With the addition of the UK to the qualifying state list on September 18, 2023, UK individuals will from October 12, 2023 also have the ability to submit a complaint under EO 14086 through the ICO if they believe they may have been subject to a violation in relation to Foreign Intelligence Surveillance Act activities in the US.
A qualifying complaint will be transferred from the ICO and first be carried out by the Office of the Director of National Intelligence Civil Liberties and Privacy Office (ODNI CLPO). Upon the conclusion of this investigation, should the individual be so inclined, they may apply for a review of the ODNI CLPO’s decision by the Data Protection Review Court (DPRC). DPRC’s review and determination will be final and binding on involved agencies and organizations. As such, the US confirmed that any remedies ordered by the ODNI CLPO and/or the DPRC will be enacted subject to the oversight of Privacy and Civil Liberties Oversight Board (PCLOB).
While EO 14086 remedial action could be an order to either rectify incorrect information or to erase specific information, the complainant will not be provided access to the data held about them or receive any monetary compensation for any breaches.
If you have any questions about your company’s compliance with cyber regulations, concerns about vulnerability to attacks or other breaches, or if you want to learn more about proactive cybersecurity defense, contact a member of McDonald Hopkins’ national data privacy and cybersecurity team.