US adequacy by another name: UK-US data bridge process concludes

Yesterday the UK Government announced its decision to establish a UK-US data bridge, a 'partial adequacy decision' in old terminology, for friction-free transfers of personal data from the UK to the US.

Adequacy regulations have been laid before Parliament and will come into force on 12 October. From this date, UK organisations will be able to transfer personal data to entities signed up to the UK Extension to the EU-US Data Privacy Framework (DPF) (discussed in our previous blog), without putting in place standard contractual clauses (SCCs).

As part of the adequacy assessment process, the ICO has submitted their opinion on the data bridge to the Secretary of State, in line with the UK GDPR and the 2021 MOU between the ICO and DCMS. The ICO’s role in adequacy assessments is limited to providing independent assurance on the process and the factors the Government has taken into account, resulting in an arguably less strident opinion compared to those issued by the EDPB/European Parliament in the EU process. Despite these limitations, while concluding the adequacy assessment is ‘reasonable’ the ICO has raised concerns about the arrangement, including about the definition of ‘sensitive information’. This definition will require organisations transferring certain types of special category data (including genetic, biometric and sexual orientation data) to the US in reliance on the DPF to specify that the data being transferred is sensitive in order for the data to be treated as such (see the Government factsheet for UK organisations for further guidance). The ICO also raises concerns about the protections surrounding criminal conviction data and automated decisions, which are likely to be further focus for activists looking to challenge the arrangement.

What should organisations making transfers from the UK to the US do now? 

For now, organisations making transfers to the US must continue to rely on other mechanisms such as the SCCs, until the data bridge comes into force on 12 October. UK organisations looking to transfer to US entities in reliance on the data bridge after that will need check that their US counterparties have carried out the required compliance steps under DPF (as we discussed in our previous blog, but this time including certifying under the “UK Extension” to the DPF) and the transferring entity should also update their own privacy notices and records to refer to the new mechanism. Helpfully, organisations making transfers from both the UK and EU can look to the same list of participating entities on the US Department of Commerce’s DPF webpage (here) to check for their US counterparties’ compliance. The list indicates which adequacy framework US organisations are participating in, with some already listed as participating in both the EU-US DPF and the UK Extension to the DPF, along with the Swiss DPF.

For organisations relying on alternative transfer mechanisms such as SCCs – and those who may choose to continue doing so in the future – the completion of transfer risk assessments (TRAs) may however become easier as a result of the privacy protections the US has put in place. These are helpfully set out in the supporting documents published by the UK government in relation to the data bridge.

Having said that, organisations should maintain a close watching brief on developments, as the first set of the inevitable legal challenges to the validity of the EU-US DPF have reportedly already been filed. It is likely that any legal challenge that invalidates the EU mechanism will have wider ramifications for the UK deal too, for example, by giving rise to similar copy-cat actions. As such, many organisations may sensibly choose to hold off updating their compliance programmes to take account of the DPF for now.