Earlier this year [July], the EU adopted a decision that will see the free flow of personal data between the EU and the US – a move that will undoubtedly be welcomed by trans-Atlantic businesses. The adequacy decision for the EU-US Data Privacy Framework will allow the free transfer of personal data between EU and US companies participating in the framework on the basis of binding safeguards. 

Under the EU GDPR, the European Commission (EC) has the ability to determine whether jurisdictions outside of the EU offer an adequate level of protection for EU citizens’ personal data. The effect of such an adequacy decision is that personal data can freely flow between the EU and the non-EU jurisdiction without additional safeguards needing to be put in place. Those additional safeguards included, for example, the use of EU approved Standard Contractual Clauses (SCCs) in contracts between the data exporting and importing parties, and the carrying out appropriate data protection impact assessments. In relation to EU-US data flows, this decision is highly valuable, with the White House stating that there are more data flows between the EU and the US than anywhere else in the world. 

This is not the first time the EU and the US have attempted to put a framework in place for the free flow of data. The two previous decisions of the EC, the Safe Harbor, put in place in 2000, and the Privacy Shield put in place in 2016, were declared invalid by the European Court of Justice (ECJ) in 2015 and 2020 respectively, following challenges from privacy activist Max Schrems. These decisions were invalidated in part because of programmes allowing US authorities to access personal data transferred from the EU for national security purposes. This meant US domestic law limited the protection of EU citizens’ personal data in a way that did not provide for an essentially equivalent, and therefore sufficient, level of protection as guaranteed by EU law. 

The EC has stated that “new binding safeguards have been introduced to address the points raised” by the ECJ in 2020, including limiting US authorities’ access to data to the extent that it is “necessary and proportionate to protect national security”. The Data Protection Review Court has also been established, allowing EU citizens an independent redress mechanism which will investigate and resolve complaints relating to access to their data by US authorities. 

Joe Jones, director at the International Association of Privacy Professionals said that there had been “significant reforms” to the US’s surveillance safeguarding, and that the Data Privacy Framework was not just a “reheating” of the two previous attempts. However, he also said “the question is: is it good enough?” Perhaps predictably, Max Schrems is unenthused about the proposed agreement. noyb, the not-for-profit organisation led by Schrems, states that data agreements with the US will not work unless the necessary changes in US surveillance law are made, which is yet to happen. Schrems is quoted as saying that simply calling something ‘new’, ‘robust’ or ‘effective’ will not be enough for the Court of Justice, and noyb have already prepared various challenges to be filed with the ECJ. 

But what does this mean for the UK? The adequacy decision does not apply to UK-US personal data flows. In June 2023, the UK and US announced that a commitment in principle had been reached in relation to a proposed data bridge allowing for the free flow of data between the UK and US organisations that have been certified under the scheme. The data bridge would act as an extension to the EU-US Data Privacy Framework, purportedly providing businesses with an annual saving of £94.2 million. However, if the EU-US Data Privacy Framework is subject to challenge and ultimately declared invalid, this may affect the UK-US data bridge. There are also further concerns that the scope of the data bridge could bring the EU’s UK adequacy decision into question. 

For now, the new adequacy decision will facilitate EU-US data flows. It will be interesting to see how the challenges from privacy campaigners develop and what effect this will have on efforts to facilitate the transfer of data between the UK and US.  

UK businesses trading in the US may wish to consider the following steps in preparing for the introduction of the UK-US data bridge:

• Until the data bridge enters into force, businesses should ensure they continue to implement and use the correct safeguards, for example, by using the form of agreements approved by the UK ICO, namely the International Data Transfer Agreement (IDTA) or International Data Transfer Addendum (UK Addendum). Both of these agreements incorporate approved SCCs.
• Businesses should update and review data sharing agreements in place with US companies, pending the entry into force of the data bridge. 
• It is worth businesses being aware that according to the US Department of Commerce, US companies that are certified under the Privacy Shield should be able to easily self-certify under the new Framework. Businesses can check the Shield participants here: https://www.dataprivacyframework.gov/s/participant-search. Given that both the new agreements seem to be based on the previous Privacy Shield, it’s a good indication whether businesses will be able to easily enter into a data transfer when the data bridge enters into force.
• If businesses have been cautious about trading in the US due to the restrictions on data sharing, it may be worth re-evaluating this point. When the data bridge enters into force, the process to comply with it should be much simpler. European data exporters should find the compliance process less complicated for data transfers to the US, as the burden of documentation and compliance will mostly be shifted to the participating US data importers by virtue of the requirement to self-certify under the EU-US Data Privacy Framework. 

On 8 March, a new Data Protection and Digital Information Bill (No. 2) (the Bill) received its first reading in the House of Commons. This Bill replaces the Data Protection and Digital Information Bill (the DPDI Bill), which was introduced in July 2022 before being paused in September 2022. In its press release, the Government said:

• the Bill is a “new common-sense-led version of the EU GDPR”
• it will “reduce costs and burdens”
• it will “remove barriers to international trade”, and
• it will “cut the number of online repetitive data collection pop-ups online”.

Although the Bill has been introduced as separate bill, its proposals for data reform are broadly the same as those contained in the DPDI Bill.

Grace Astbury summarises the key provisions of the Bill and the implications for the UK data protection regime below.

The proposed changes seem to be more of an evolution of the UK GDPR rather than a complete departure, alleviating some but not all of the compliance burdens under the UK data protection regime. Businesses will be afforded some greater flexibility in meeting the legal requirements for their data processing activities. Should the Bill be passed in its current form, businesses should carefully consider whether their current practices and procedures meet the requirements under the Bill. However, at this stage businesses should not take any immediate steps to modify their practices. It is likely that in most cases, where a business is GDPR-compliant, they will also be compliant under the new regime proposed by the Bill.

Michelle Donelan, Science, Innovation and Technology Secretary stated that “no longer will our businesses have to tangle themselves around the barrier-based European GDPR”. However, whilst the changes move the UK’s data protection regime away for the EU GDPR, the Bill cannot make changes to obligations under the EU GDPR. Therefore, businesses processing the personal data of individuals based in the EEA will still be required to comply with the EU GDPR. Businesses who process the personal data of both UK and EEA based individuals may have little desire to have separate data practices for their EU and UK operations.

On 17 April 2023, the second reading of the Bill took place, which gave MPs a chance to debate the main principles. The Bill passes this stage but in the course of the debate, concerns were raised in relation to the ICO’s independence, the UK’s adequacy status with the EU and the overall complexity of the Bill. The Opposition welcomed the Bill’s overarching principles but suggested that it did not go far enough. The Bill will now proceed to Committee stage to be scrutinised line by line. The first sitting of the Public Bill Committee is expected to be on 10 May, with the Committee being scheduled to report by 13 June. It remains to be seen what amendments could be on the horizon.

In the coming months, businesses will need to watch out for confirmation of the timing for implementation of the Bill and whether there is general cross-party support for the proposals. Further, the European Commission is yet to release its view on the proposals for reform under the Bill, raising the question – is the UK on a collision course with its adequacy decision with the EU?