Associate Lucy Burrows provides insight on the UK-US data bridge and discusses the potential for legal challenges in IT Pro.
Lucy’s comments were published in IT Pro, 8 December 2023, and can be found here.
“Because there are key differences which may lead to data subjects in the UK having less control over their data than UK GDPR provides, there is scope for the agreement to falter. For example, there is not a comparable right to be forgotten provision set out in the Data Bridge.
“Prior to the Data Bridge, businesses in the UK had to use alternative provisions when transferring data to the UK, which had a number of burdensome legal and regulatory requirements.
“These provisions included the International Data Transfer Agreement and International Transfer Addendum to the European Commission’s Standard Contractual clauses. The Data Bridge simplifies the process of transferring data from the UK to organisations in the US that are certified under the EU-US Data Privacy Framework.
“Concerns with the Data Privacy Framework principally stem from worries that sufficient protection may not be provided to EU Citizens.
“It seems likely that there will be legal challenges to the UK-US Data Bridge, especially when considering the specific areas that are open for challenge, as highlighted by the Opinion issued by the ICO.
“Further, the Data Bridge acts as an extension to the Data Privacy Framework, which is anticipated to encounter legal challenges in the CJEU, and as such may invalidate the Data Bridge.
“Whilst challenges to the Data Privacy Framework may invalidate the Data Bridge, the UK is no longer part of the EU and so the UK-US Data Bridge could survive any such challenges – and indeed stand the test of time – as courts in the UK could set a higher benchmark as to what constitutes an adequate level of protection to their counterparts in the EU.”