On 12 October 2023, the Data Protection (Adequacy) (United States of America) Regulations 2023 will come into effect and the UK-USA ‘data bridge’ will be effected. This will mean that, under the terms of the revised EU-US Data Privacy Framework, and the UK Extension to it, transfers of personal data from the UK to a person in the USA on the Data Privacy Framework List, will be deemed to meet the test of adequacy for the purposes of the UK GDPR and the DPA 2018.
As is well known, the Data Privacy Framework is the replacement for the Privacy Shield, itself the replacement for Safe Harbor, with a suite of new protections and mechanisms seeking to address the concerns which led the CJEU to invalidate the Privacy Shield in the Schrems II litigation. Transfer to the US have long been troubled waters for data protection lawyers and those poor benighted persons just trying to run businesses and act compliantly. The new ‘data bridge’ is intended to be the answer.
There are those who do not consider the revisions to be sufficient, and challenges will doubtless proceed against the EU measure at the least. The Information Commissioner is not, however, one of them; he is obliged under the legislation to provide an opinion on any proposed adequacy regulations and has, in his Opinion on the UK Extension, concluded that it is reasonable for the Secretary of State to have reached the view that the UK Extension provides an adequate level of protection, albeit that four areas are set out where particular monitoring is suggested.
Those interested may wish to consider the paper setting out the Government’s reasoning and its analysis of the UK Extension. Various relevant pieces of correspondence between key UK and US officials are published here.
Christopher Knight