New Data Transfer Framework to the USA
On 12 October a new structure will come into effect to allow for transfers of personal data from the UK to the USA. At the moment these transfers are complicated by the GDPR and any organisation wanting to carry out a transfer must:
- Carry out an impact assessment;
- Enter into an appropriate data transfer agreement with the organisation in the USA.
Alternatively, the organisation must use some other form of data sharing arrangement such as binding corporate rules.
There have been several attempts to set up organised data sharing arrangements from Europe to the USA. Two previous systems created by the EU, most recently the Privacy Shield, have been struck down by courts in various European jurisdictions as unlawful. The EU has now set up a third attempt to permit data transfer from there to the USA, the Data Privacy Framework (DPF). The UK has negotiated a deal with the USA to sit on the side of this arrangement and to use it for its own purposes. The UK refers to this as a data bridge which is the name the government now likes to give to data adequacy arrangements under the GDPR.
The main issue with data transfer to the USA has always been that the US authorities have substantial powers to demand that organisations in the US release data to those authorities with very little that individuals can do to stop this or, in many cases, without their knowledge at all. The DPF is intended to resolve this issue by creating a scheme by which individuals in the UK can seek redress where they believe their data has been unfairly taken or used by US authorities.
However, there are specific requirements which UK organisations must fulfil. The US entity they wish to transfer data to must have signed up to the DPF. This can be done by searching the DPF list. Further the US entity must not only be on the DPF list but they must have additionally agreed to the UK extension. If those requirements have not been fulfilled then the traditional mechanisms, which still exist, must be used to transfer data.
There are also limits as to data types that are covered by the DPF. Special category data falls outside the strict limits of the DPF and so transferring it under the DPF would be extremely risky. Therefore organisations would be unwise to transfer data which dealt with individuals health, union membership, or sexual orientation. This data would be best dealt with by using traditional transfer mechanisms.
Finally, organisations thinking of using the DPF should be aware that the two previous mechanisms have been overturned by activists. Those same activists will be looking closely at the DPF. It will undoubtedly strengthen their position that the UK’s own data protection regulator, the ICO, has damned the DPF with faint praise. The ICO has held that it is reasonable for the government to conclude that the DPF provides sufficient protection to data subjects there are specific risks with the structure. It is easy to conclude that the ICO would not, if it had been asked, come to the same views about the suitability of the DPF and these views are likely to form a key element of any case against the DPF.
JMW is able to advise on international data transfer from the UK and the most appropriate mechanisms, including the DPF, for organisations to adopt.