We’re all familiar with how much the modern world is powered by data, and specifically the transfer of that data across borders. 93% of the UK’s services exports were data-enabled in 2021, with the value of services exported to the US alone worth over £79 billion – equivalent to 30% of the total. There is a viewpoint, however, that arrangements could be made even simpler to unlock further trade and economic benefits.
This is the intention behind the recent agreement in principle between the UK and US Governments, to establish a new legal framework which would facilitate personal data transfers between the two countries. This would extend the existing EU-US Data Privacy Framework, making it “easier for around 55,000 UK businesses to transfer data freely to certified US organisations without cumbersome red tape,” as a Government press release claimed.
Upholding standards across territories
Both the EU and UK already have regulations in place to accommodate for the transfer of personal data outside the European Economic Area (EEA). This new ‘data bridge’ aims to maintain the same level of protection for personal data exported to other jurisdictions as those that are provided under the GDPR. There are currently several mechanisms that businesses use ensure that EU or UK data protection standards are upheld when exporting personal data.
One of these are contractual clauses, the cost and inflexibility of which often makes them a significant barrier to overcome, especially for small and medium-sized businesses. Any UK business that currently needs to send personal data to a service provider or company in the United States need to have these in place to ensure data protection and privacy standards are maintained.
Another option are adequacy decisions. Policymakers make these designations to allow the free flow of personal data through specific jurisdictions. Once it is finalised, the UK-US data bridge would represent a UK-issued adequacy decision, while the European Commission has signaled its intention to adopt an adequacy decision with the EU-US Data Privacy Framework. This has happened after the previous decision that was proposed, the EU-US Privacy Shield, was rendered invalid by the Schrems II ruling.
The Purpose of a Data Bridge
The primary reasons for arrangements like a data bridge is streamline and unify the agreements that would otherwise be needed, and in essence, make innovation, collaboration and data sharing easier for businesses. In this way, the agreement aims to reduce burdens on business – and overall, get the two countries on the same page when it comes to the regulation in place.
It is a fine balance to get right, as any UK-US agreement also needs to ensure it doesn’t threaten the existing adequacy status that the UK has with the EU, since the country left the Union. Companies in all regions are closely watching for what comes through – especially as notable privacy campaigner Max Schrems has already been vocal about challenging version 2.0 of the EU-US Privacy Shield.
“A UK extension to the Data Privacy Framework is the most streamlined approach to take, it is likely to be the smoothest approach for reaching political agreement. It is also the least likely to cause issues for the UK’s own EU adequacy status, as the UK approach will presumably align with the EU’s,” commented data protection law expert Rosie Nance of Pinsent Masons.
Regardless of the specific agreements that are secured between the EU, UK, and the US, it should not cause businesses to stop conducting data transfer impact assessments. The Schrems II ruling emphasised the importance of the robust due diligence businesses must undertake before transferring personal data anywhere outside of the EEA – not just to the US.
Romain Desloreiux is Director Strategic Partnerships at Thales