The new UK – US Data Bridge (UK Extension) aims to once again, try and simplify transatlantic data transfers, allowing for data to flow to the US without additional obligations on businesses. Holly McNeil, a corporate and commercial solicitor, who specialises in data protection, examines the potential longevity of this UK Extension and if legal challenges are likely.

The UK Extension is an extension of the EU-US Data Privacy Framework (DPF) and has some differences to previous attempts at seamless data flows such as Safe Harbour and the US-EU Privacy Shield.

Firstly, a specific Data Privacy Framework List (DPFL) has been introduced. UK organisations cannot rely on the UK Extension unless a US organisation is on the DPFL (and has specifically elected to participate in the UK Extension).

To be on the DPFL, US organisations must self-certify and agree to comply with DPF principles (which are similar to UK/EU GDPR). Not all US organisations are permitted to self-certify – insurance, banking and telecommunication organisations, for example, are excluded. Once an US organisation has joined the DPFL, the commitment becomes enforceable under US law.

Another key difference is the DPF attempts to provide greater redress than the previous attempts. The Data Protection Review Court (DPRC) has been established to allow data subjects to make complaints.

Further, the US has attempted to make changes to its intelligence-gathering activities and bulk surveillance. US authorities should only be able to access personal data if, to the extent that, it is necessary and proportionate to do so.

ICO identified risks
The ICO has concluded that whilst it could be seen that the UK Extension provides an adequate level of data protection as the UK GDPR, it highlights four areas that pose a risk to UK data subjects and recommend that the UK Extension is monitored to ensure that it operates as intended. These four areas are:
1. UK GDPR and the UK Extension use a different definition of ‘sensitive information’. Therefore, when data is sent, it should be identified, by UK organisations, as being sensitive data. However, there is not a requirement for this data to be identified as sensitive so there is a risk that additional protections for special category data might not be applied.
2. Even if criminal offence data is identified as being sensitive, equivalent protections for the use of this data do not exist in the US.
3. The UK Extension doesn’t contain protections from individuals being subject to decisions that are taken solely by automated decision making such as the right to obtain a human review of an automated decision.
4. The UK Extensioncontains some rights, but this is not as extensive as under UK GDPR and there is no similar right to the right to be forgotten or the right to withdraw consent.

Legal challenges
There are several areas that are likely to be subject to legal challenge and there has already been one to the DPF, by French Parliamentarian Philippe Latombe (where part of his challenge was to immediately suspend the EU-US DPF). However, his challenge was dismissed by the European Court of Justice in October 2023, due to the fact he could not demonstrate the existence of irreparable harm to justify the urgency of the interim measures requested.

The Court did not opine on the merits of the case, so these remain to be tested. He has since appealed this decision and we await to hear the outcome of his appeal.

Max Schrems and NOYB, the digital rights organisation, (who successfully challenged Safe Harbour and the US-EU Privacy Shield) have also announced their intention to challenge the DPF. Separate challenges may also be brought specifically on the UK Extension.

Could the UK – US Data Bridge last?
It’s possible that in the event a challenge is brought to the DPF, the European Court of Justice will find that it does not adequately deal with the concerns that they had about Safe Harbour and the US-EU Privacy Shield.

As the UK Extension is an extension to the DPF, if there is a successful challenge, this may be overturned. However, if a successful challenge does not invalidate the UK Extension, then it will be a question for the English courts, who may take a different view to the European Court of Justice as to whether the US offer ‘essentially equivalent’ protection. In any case, a challenge to either the EU-US DPF or UK-US Extension is likely to take months, if not years.

In addition, the UK Extension relies on US organisations being able, and wanting to, comply with burdensome requirements relating to data protection. Whilst US organisations (such as Microsoft) which regularly process personal data of UK individuals have already chosen to participate, those who are either smaller, or do not process personal data as frequently may chose not to. In those circumstances, existing transfer mechanisms will continue to be relied upon instead.