UK Approves Commercial Data Transfer Deal With US – Source: www.govinfosecurity.com

General Data Protection Regulation (GDPR)
,
Geo Focus: The United Kingdom
,
Geo-Specific

Agreement Says Organizations Don’t Need to Assess Risk Before Transferring Data

Akshaya Asokan (asokan_akshaya) •
September 22, 2023    

The British government on Thursday signed onto a European deal easing trans-Atlantic commercial data flows with the United States, telling Parliament that the United Kingdom will accede to a Brussels-led agreement that allows American firms such as Facebook and Google to store Europeans’ data.

See Also: Live Webinar | Cyber Resilience: Recovering from a Ransomware Attack

By piggybacking onto the EU-US Data Privacy Framework through what the government is calling a “data bridge” – essentially wholesale acceptance of the framework, which went into effect in July – Westminster avoids having to negotiate a separate commercial data flow agreement under the terms of the General Data Protection Regulation. The United Kingdom incorporated the European privacy law into domestic statute in 2018 before separating from the trade bloc.

Data transfers outside of countries governed by the GDPR, absent specific authorization such as through a contract, require a standing agreement with foreign countries attesting that the countries have an adequate level of privacy protections.

U.K. Secretary of State Michelle Donelan approved the deal, which comes into effect Oct. 12. The data bridge underpins annual data-enabled trade worth at least 79 million pounds, according to U.K. estimates.

The agreement means British businesses, like their continental counterparts, will not have to rely on more cumbersome standard contractual clauses or any binding corporate rules when transferring data to the U.S. The agreement also removes obligations for organizations to conduct risk assessments before transferring data.

The U.S attorney general days earlier designated the U.K. as a ‘qualifying state’ under Executive Order 14086, which put in place measures sought by Brussels in order to make an adequacy determination with the U.S. before approving the EU-US Data Privacy Framework.

Donelan’s approval comes after the U.K. and U.S. in June reached a commitment in principle.

Experts warn that the long-term prospects of the EU-US Data Privacy Framework are not great, given that the European Court of Justice struck down its two predecessors – the Safe Harbor Framework in October 2015 and the Privacy Shield in July 2020. Privacy advocates have already filed challenges against the framework. The data transfer mechanism “isn’t likely to be a lasting solution,” Jonathan Armstrong, a partner at Cordery Compliance who monitors European privacy law, told Information Security Media Group earlier this year (see: European Parliament Rejects EU-US Data Framework).