Privacy frameworks in the US, the EU and the UK

Anthony Woolich and Lucy Macris at law firm HFW explore the EU-US Data Privacy Framework and the prospective UK-US Data Bridge

 

The privacy and security of personal data has been subject to considerable scrutiny, with many concerns raised over the use and storage of personal data by large companies, and the safeguards taken to ensure that such data is kept secure.

 

Whilst the EU General Data Protection Regulation (GDPR) and its UK equivalent have imposed restrictions on the transfer of personal data internationally, the handling of personal data by the US has remained a developing area, with no federal law on the protection of personal data yet in place.

 

In July 2023, the European Commission and the United States completed an agreement to facilitate transfers of personal data from the European Economic Area to the US. The agreement, known as the EU-US Data Privacy Framework, requires self-certified US organisations to process EEA personal data subject to a detailed set of privacy obligations.

 

Many have called on the UK to provide its own mechanism for establishing the protection of personal data which is similar to the Framework. The UK government is working towards its own adequacy framework for transfers of data from the UK to the US after announcing in June 2023 that it has committed to establishing a "data bridge" with the US.

 

The data bridge would constitute a UK-issued adequacy decision, as required by legislation, avoiding the need for UK businesses to use inefficient transfer mechanisms when transferring personal data to the US. The data bridge would form part of the broader "Atlantic Declaration" agreed between President Biden and Prime Minister Sunak which includes a commitment to ensuring responsible development of technological and trade relations including data protection and AI.

 

Schrems and the Privacy Shield

The importance of protecting personal data transferred outside the EEA was emphasised in the Schrems judgements of the Court of Justice of the European Union (CJEU).

 

Schrems I invalidated the ’Safe Harbour’ framework which had been designed with the intention of  ensuring that personal data transfers from the EEA to US organisations which had signed up to the Safe Harbour complied with the EU Data Protection Directive 1995, including on security of data. 

 

After the CJEU held that the Safe Harbour was not fit for purpose, including because of potential access to the personal data by US public authorities under US law, it was replaced by the ’Privacy Shield’, which again allowed personal data to be transferred from the EEA to US organisations which had signed up to it.

 

In Schrems II, the CJEU held that the Privacy Shield was inadequate for complying with the GDPR due to the disproportionate level of access US surveillance authorities had to personal data and because applicable US legislation did not grant individuals actionable rights before the courts against the US authorities. 

 

Schrems II resulted in a significant degree of legal uncertainty regarding the transfer of personal data outside the EEA (or UK). Businesses have continued to transfer personal data outside the EEA using "Standard Contractual Clauses" (SCCs) adopted by the Commission and/or UK government as appropriate, and upheld with qualification by the CJEU in Schrems II.

 

However, these are lengthy and may be regarded as inadequate without supplemental measures to ensure security of personal data for particular international transfers, as held by the CJEU. The UK is accordingly likely to take comfort from the Commission’s granting of an adequacy decision for the EU-US Framework. 

 

Political pressure

Whilst the US and EU have come to an agreement after two years of negotiations, the UK government now faces pressure to offer UK citizens the same protection as those in the EEA and UK transferors of personal data the same flexibility as their EEA equivalents.

 

The Commission firmly scrutinised US data protection laws, setting a high bar which the UK is now being expected to emulate. Beyond this, the UK government faces pressure from businesses over the use of SCCs which often significantly lengthen commercial contracts. 

 

The data bridge, which would supplement the EU-US Data Framework, presents an opportunity for renewed transatlantic unity. UK government officials have been working with their US counterparts for two years on a proposed new UK adequacy decision for the US. 

 

The test for adequacy under the UK GDPR requires the Secretary of State to be satisfied that UK data protection standards under the UK GDPR are not undermined when personal data is transferred to another country.

 

To determine this, the overall effect of a third country’s data protection laws, implementation, enforcement, and supervision are taken into account, including those that relate to how public authorities can access personal data. 

 

The third country’s international commitments to data protection and its respect for the rule of law and human rights are also taken into account, though the test does not require point by point replication of UK law in another country’s regime.  

 

US organisations which are approved to join the Framework would be able to receive UK personal data under the data bridge. The data bridge is expected to generate significant efficiencies on compliance and is also apt for addressing concerns over the use of AI, the safety and security of which are under review. 

 

Next steps

Before the data bridge can be finalised, the UK government has committed to continue to assess US data protection laws, considering the protection provided for "personal data, the rule of law, respect for human rights and fundamental freedoms".

 

The UK intends to consult the Information Commissioner’s Office on the data bridge in the coming months as required by the Data Protection Act 2018. The US is also working to designate the UK as a qualifying state under the “Enhancing Safeguards for United States Signals Intelligence Activities” Executive Order, which would enable UK individuals to access redress mechanisms, including the new Data Protection Review Court.

 

If implemented correctly, the data bridge presents an opportunity for the UK and US to achieve significant economic gains, whilst protecting the rights of UK data subjects.

 

---

 

Anthony Woolich is a Partner and Lucy Macris is Trainee Solicitor at HFW

 

Main image courtesy of iStockPhoto.com