Expert Insight: Andrew Snow

Insights into the new UK–US ‘data bridge’ from our data protection and cyber trainer

Andrew Snow is a GDPR DPO (General Data Protection Regulation data protection officer) with extensive public- and private-sector experience in regulatory compliance, privacy compliance framework development, and other areas relating to data protection.

He is also an enthusiastic data privacy and cyber security trainer, consistently receiving high praise from course attendees.

We sat down to chat to him.

What has caught your attention lately?

One story important to UK and US organisations wanting to transfer personal data across the Atlantic, yet few seem aware of it, is that the UK and US now have an adequacy decision, known as the UK–US ‘data bridge’.

The UK’s official statutory instrument is called ‘The Data Protection (Adequacy) (United States of America) Regulations 2023’ – quite a mouthful, I know – which came into force on 12 October this year.

The US has incorporated this as part of its Data Privacy Framework, or ‘DPF’ for short, Program. This offers mechanisms for transferring personal data not just from the UK to the US, but also from the EU and from Switzerland to the US.

What does this mean in practice for UK and US organisations?

Basically, it simplifies transatlantic personal data transfers. Under the UK GDPR, UK residents’ data may not be transferred to the US unless a valid transfer mechanism is in place.

Previously, this usually meant relying on BCRs [binding corporate rules] or the IDTA [international data transfer agreement], both of which require more effort than relying on an adequacy decision.

But now that we do have one between the UK and the US – or rather, with US organisations that have signed up to the DPF – both UK and US organisations have a much more efficient transfer mechanism at their disposal.

Focusing specifically on UK organisations, what must they do to take advantage of this adequacy decision?

It’s important that UK organisations check the DPF website to make sure that the US organisation they intend to share data with has signed up to the Program.

However, I strongly recommend organisations also do their due diligence, and not blindly rely on this mechanism.

Check things like:

  • The organisation’s privacy notice;
  • That the contract refers to the UK–US data bridge;
  • What technical and organisational measures the organisation has deployed to protect your data; and
  • Anything else important to you to keep the data you want to transfer to the US organisation secure. Remember: as the data controller, you’re legally accountable for keeping the data entrusted to you safe.

Also remember that, since you’re engaging another organisation to process data on your behalf, you’d need to put a standard Article 28(3) contract in place. The ICO [Information Commissioner’s Office] has some great guidance on what to include in this contract on its website.

What about US organisations? What must they do to sign up to the DPF?

A US organisation has to self-certify to the DPF that it’s meeting the requirements, which are similar to those under the now-obsolete Privacy Shield.

The DPF requirements include:

  • Informing individuals about the data processing;
  • Providing free and easily accessible mechanisms for resolving disputes;
  • Cooperating with the U.S. Department of Commerce;
  • Maintaining data integrity and purpose limitation;
  • Ensuring accountability for data transferred to third parties, like sub-contractors;
  • Transparency related to enforcement action; and
  • Ensuring commitments are kept as long as data is held.

The DPF website has a full guide to self-certification that organisations may find useful.

Is the DPF/adequacy decision always the best mechanism to rely on for UK–US data transfers?

I‘d say that it’s generally the easiest mechanism, rather than the best.

Although the adequacy decision offers an efficient and legal route to send personal data to the US for processing, it’s important to understand that it has limitations.

Once a US organisation has self-certified to the DPF, this won’t be challenged unless a complaint is lodged – which is, by the way, a common issue with self-certification schemes.

That doesn’t mean that we should dismiss such schemes out of hand, but it does mean that it’s important to conduct your own due diligence by checking for points such as the ones I mentioned earlier.

Does that mean you still recommend UK organisations to consider the IDTA or BCRs as alternative mechanisms?

Depending on the organisation’s needs, they can certainly provide a suitable alternative.

With the IDTA, an Article 28(3) contract isn’t needed. Instead, an ICO-approved contract is put into place, which must be used in full without removing any of the clauses, but organisations may add new ones. It must also be accompanied by a transfer risk assessment, a tool for which is available on the ICO website.

The IDTA is a good option for UK organisations to transfer personal data to the US if they want to go that extra mile and put a more robust contract in place to keep the data entrusted to them secure. They may also find the IDTA the better choice if they’re already relying on it for data transfers to third countries without any adequacy decision.

As for BCRs, these offer a good option for:

  • Multinational corporate groups;
  • Groups of undertakings; and
  • Groups of enterprises engaged in a joint economic activity, such as franchises, joint ventures or professional partnerships.

BCRs allow for personal data transfers within an international organisation if both you and the recipient have signed up to approved BCRs.

In the UK, BCRs are approved by the Commissioner, and must be in place before the transfer takes place. If either you or the recipient can no longer comply, the transfers must stop immediately.

Can you foresee any difficulties with this new data bridge?

Unfortunately, yes. This UK–US data bridge is built on the back of the new EU–US DPF Program, which in turn was put in place because the previous transfer mechanism, the EU–US Privacy Shield, was rendered defunct. This was thanks to the efforts of Max Schrems, an Austrian privacy activist and the founder of the non-profit noyb, who also took down the Privacy Shield’s predecessor.

Schrems has already stated that he believes this new mechanism still doesn’t offer the security of personal data mandated by the EU GDPR, so will challenge the DPF sometime next year in the CJEU [Court of Justice of the European Union].

On top of this, we already have two further challenges to the DPF: one from a French MP and a member of the French supervisory authority, and another from a German regulator.

Obviously, I can’t tell you for sure that the DPF will go the same way as the Privacy Shield, but it’s certainly a possibility. This is another thing organisations should take into consideration when deciding on what transfer mechanism to rely on.

We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. Please do leave a comment below to let us know what you think, and if you have any questions you’d like our experts to answer.

We’ll be back next week, chatting to another expert within the Group.

In the meantime, if you missed it, check out last week’s blog, where QSA (Qualified Security Assessor) consultant Stephen Hancock gave us his expert insights into the new PCI DSS SAQ (Payment Card Industry Data Security Standard self-assessment questionnaire).

If you want to find out more about the different international data transfer mechanisms available under the UK GDPR, take a look at our GDPR training courses.