There has been a literal whirlwind of changes impacting data privacy over the last decade, mainly resulting from the EU’s GDPR and now the UK’s equivalent. These legislative shifts and their consequential impacts have significantly altered how personal data is handled, stored and transferred especially when transferred outside the UK/EU/ EEA to countries such as the United States.
Our data privacy and intellectual property specialist, David McIntosh, has written extensively on the shifting dynamics of data privacy:
40 Years of Data Privacy in the UK. What’s Next?
Data Privacy Regulation: Looking to 2025 and Beyond
Many, if not most, organisations that regularly transfer personal data out of the UK/EU/EEA and particularly to the US have already taken steps to ensure compliance with these new requirements. This article will provide an in-depth look at the latest developments, including the EU-US Data Privacy Framework and the implications for UK organisations post-Brexit.
EU-US Data Privacy Framework.
In parallel with these developments, there have been extensive discussions over a lengthy period between the European Commission and the US Department of Commerce over concerns that US surveillance arrangements conducted pursuant to the Patriot Act after 9/11 and conducted by the NSA were fundamentally in conflict with the principles espoused in the GDPR. These discussions concluded with an agreement on a EU-US Data Privacy Framework which has dealt with EU concerns over the adequacy or otherwise of arrangements to protect EU personal data in the US:
See the COMMISSION IMPLEMENTING DECISION EU 2023/1795 of 10 July 2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework.
European Data Protection Board.
On 16 July 2024, the European Data Protection Board adopted Frequently Asked Questions titled as EU-U.S. DATA PRIVACY FRAMEWORK FAQ. FOR EUROPEAN BUSINESSES.
The EU-U.S. Data Privacy Framework (“DPF”) is a self-certification mechanism for companies in the US Companies that have self-certified under the DPF must comply with its principles, rules and obligations related to the processing of personal data of EEA individuals.
“The European Commission considered that transfers of personal data from the EEA to companies certified under the DPF enjoy an adequate level of protection. As a result, personal data can be transferred freely to US certified companies, without the need to put in place further safeguards or obtain an authorisation”.
However, there are a number of important caveats. If you need further information or s consult on how to address these, please contact David McIntosh.
UK Extension to the EU-US Data Privacy Framework (UK Extension)
Given that the UK has left the EU, where does this leave the UK?
With effect from 12 October 2023, businesses in the UK have been able to transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework” (UK Extension) under Article 45 of the UK General Data Protection Regulation (GDPR) without the need for further safeguards such as those set out in Articles 46 and 49 of the UK GDPR.
UK Information Commissioner Response
The UK’s Information Commissioner has stated that:
“UK organisations should be mindful of the need to update privacy policies and document their own processing activities as necessary to reflect any changes in how they transfer personal data to the US.
The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT), and administered by the Department of Commerce (DoC).
The Data Privacy Framework includes a set of enforceable principles and requirements that must be certified to, and complied with, in order for organisations to be able to join the Data Privacy Framework. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. US organisations who have been certified to the Data Privacy Framework can opt in to receiving data from the UK.
Once a US organisation has been certified and is publicly placed onto the Data Privacy Framework List (DPF List) on the DPF website they can receive UK personal data through a UK-US data bridge.”
Note that the UK government’s positioning post-Brexit is to take advantage of “Brexit Freedoms” and therefore the Department of Science, Innovation and Technology (DSIT) to which the ICO reports prefers to use the term “US-UK Data Bridge”, and not the “UK Extension to the DPF”.
The UK Government then published its assessment of adequacy for the UK Extension to the EU-US Data Privacy Framework for the general processing of personal data.
ICO Response to UK government’s assessment of adequacy.
The UK’s ICO subsequently published its opinion on the UK government’s assessment of adequacy set out below:
“The UK Government can assess whether another country, territory or an international organisation provides an adequate level of data protection compared to the UK. Some countries may have a substantially similar level of data protection to the UK. In these cases, the Government can make UK adequacy regulations. This allows organisations to send personal data to that country, territory or international organisation if they wish.
An adequacy assessment may cover either general processing, or law enforcement processing, or both. The Government must consider a range of factors, including that sending personal data to that country, territory or international organisation does not undermine people’s protections.
We support the Government undertaking adequacy assessments and making regulations. This enables personal data to flow freely in our global digital economy to trusted partners. We do this by providing independent assurance on the process followed and the factors that government officials take into consideration. This allows the Secretary of State to make an informed and reasonable decision. By doing this work once for everyone, the Government and the ICO are reducing the burden of compliance on organisations that would otherwise have to put alternative measures in place.
One of our priorities for this year, as set out in our ICO25 strategic plan is to “enable international data flows through regulatory certainty”. This includes our work on adequacy assessments. We provided advice to the Government during its assessment of the UK Extension to the EU-US Data Privacy Framework (UK Extension). Now that the Government has laid the regulations, we are publishing this Opinion to set out our views on the process and the Government’s conclusion.
Key Finding
The Commissioner considers that, while it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection and to lay regulations to that effect, there are four specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied.
The Secretary of State should monitor these areas closely to ensure UK data subjects are afforded equivalent protection in practice and their rights are not undermined. He also recommends monitoring the implementation of the UK Extension generally to ensure it operates as intended…….The Secretary of State should monitor the following areas so that the differences in UK and US law do not result in a reduction in protections for data subjects.
- For criminal offence data, there may be some risks even where this is identified as sensitive because, as far as we are aware, there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974. This Act places limits on the use of data relating to criminal convictions when those convictions have become ‘spent’ following the relevant rehabilitation period, including the ability to request that this data is deleted. It is not clear how these protections would apply once the information has been transferred to the USA.
- The UK Extension does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual. In particular, the UK Extension does not provide for the right to obtain a review of an automated decision by a human.
- The UK Extension contains neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent. While the UK Extension gives individuals some control over their personal data, this is not as extensive as the control they have in relation to their personal data when it is in the UK.
The Commissioner therefore gives a qualified assurance to Parliament as it considers the regulations.
Who is this Opinion for?
This Opinion is primarily for members of the UK Parliament to consider alongside the UK adequacy regulations laid by the Secretary of State.
It may also interest the wider public, data protection professionals and organisations that already transfer personal data to the United States of America (USA) or who are considering doing so”.
More information can be found on the ICO website.
Exclusive Government's Response to Data Privacy Concerns: Full Details Available
Prospect Law wrote to the UK Minister of State for Data Protection and Telecoms on 19 August 2024 concerning the Information Commissioner’s opinion on the UK government’s assessment of adequacy for the UK Extension to the EU-US Data Privacy Framework, which was published on 21 September 2023, and queried how HMG was planning to deal with the ICO’s concerns.
The Ministerial Support Team, on behalf of the Minister, have now responded to Prospect Law with answers to the questions posed.
If readers would be interested to note DSIT’s response to the questions raised and if they would like to instruct Prospect Law to advise on any of the issues raised in this newsletter, please contact David McIntosh on dmc@prospectlaw.co.uk or +44 (0) 7483 300 132.
About the Author
David McIntosh was admitted as a Solicitor in 1988 and is a highly experienced commercial projects lawyer who has advised clients in a number of different fields including intellectual property, data privacy, procurement law (both public and private), manufacturing, distribution, information governance and general regulatory matters covering both the nuclear and pharmaceutical sectors.