The distance between London and Washington is 3,674 miles. Despite the distance, it is, and has long-been, a well-traveled journey. In a former role, it is a journey I made on a number of occasions in pursuit of today's news.
The safe passage of data between the age-old friends and signatories of the Atlantic Declaration has been subject to some turbulence over recent years. "Schrems I" in October 2015 and "Schrems II" in July 2020 were paradigm-shifting moments for the stability of trans-Atlantic transfers. The Atlantic was not the only choppy body of water for data transfers. The U.K.'s decision to leave the EU, made the Channel a shorter, but equally challenging, body of water to navigate.
"When you're weary…Oh, when times get rough…Like a bridge over troubled water, I will ease your mind"
– Paul Simon
In using a term the U.K. government prefers to the EU's "adequacy," the choppiness of the data transfer waters between the U.K. and U.S. have been bridged over. So, too, the English Channel. There are now laws in place to sustain the triangulation of trans-Atlantic transfers between the EU, U.K. and U.S.
On 21 Sept., U.K. Secretary of State for Science, Innovation and Technology Michelle Donelan laid regulations in the U.K. Parliament, giving effect to a U.K.-U.S. Data Bridge. The decision was based on her determination that the U.K.-U.S. Data Bridge "maintains high standards of privacy for U.K. personal data."
The regulations will take effect 12 Oct. The U.K. government also published a series of supporting documents, which include an explainer, fact sheet and more than 130 pages of detailed analysis of U.S. privacy safeguards relevant to the U.K.-U.S. Data Bridge.
With the Data Bridge, organizations in the U.K. will be able to transfer personal data to U.S. organizations certified to the "U.K. Extension to the EU-US Data Privacy Framework" without the need for further safeguards, such as international data transfer agreements (the U.K. version of the EU's standard contractual clauses or binding corporate rules). There are requirements for both U.K. and U.S. organizations in order to implement the Data Bridge, such as updating privacy policies and certifying to the Data Privacy Framework List.
There is another, arguably more consequential but indirect, benefit to the Data Bridge.
Thousands of U.K. organizations use — and may continue to make use of — alternative transfer mechanisms to transfer personal data from the U.K. to the U.S. When doing so, those organizations have been required to complete a transfer risk assessment, to consider whether, in the circumstances of the transfer and with the chosen alternative transfer mechanism, the relevant protections for people under the U.K. data protection regime would be undermined by the laws and practices of the third country. Performing that assessment for any third country's surveillance laws and practices has long been one of the most complex and challenging exercises for organizations.
There are good arguments to say that, from 12 Oct., U.K. organizations will no longer need to perform such assessments when it concerns U.S. surveillance laws and practices.
The U.K. government published an extensive and detailed analysis of relevant U.S. laws and practices related to the access and use of personal data by U.S. agencies for the purposes of national security and law enforcement. That analysis contributed — indeed, it was a significant contribution — to the U.K.'s finding that, as a matter of U.K. law, those U.S. laws and practices do not undermine the level of data protection for U.K. data subjects when their data is transferred to the U.S.
The assessment is as relevant for transfers legally effected via the U.K. Extension to the EU-U.S. Data Privacy Framework as it is for transfers legally effected via alternative transfer mechanisms, such as U.K. international data transfer agreements or BCRs.
The U.K.-U.S.-EU triangle is one of the most important pieces in the global-transfers puzzle. Each side of the triangle is likely to be tested and to come under pressure. The EU adequacy decision for the EU-U.S. Data Privacy Framework has already received a legal challenge.
As the newly formed triangle faces pressure from within, it also faces challenges and opportunities from around the world. Work by the Organisation for Economic Co-operation and Development, Global Cross-Border Privacy Rules Forum, Association of Southeast Asian Nations, Commonwealth, Ibero-American Personal Data Protection Network, the African Union and the Council of Europe, to name but a few, show the potential and the prevalence of multilateralism and more scalable frameworks for data transfers.
With bridges built over troubled water, privacy professionals can expect more focus and momentum on a new deal for data transfers.