What’s Happening with the UK-US Data Privacy Agreement?
Table Of Contents:
In 1858, when engineers laid the first communications cable between the UK and the US, the big challenge was squeezing the countries’ telegraph signals down a single wire. Since then, the public and private sectors have run thousands of miles of fibre optic cable under the Atlantic that transfers terabits of data per second. These days, the obstacles to transatlantic data exchange aren’t technological – they’re legal.
The EU twice established privacy rules governing the exchange of data about its citizens with the US, which also governed the UK as an EU member. After both of these were ruled illegal, the bloc moved to create a third. Three years after leaving Europe, the UK has been negotiating its own adequacy agreement with the US. How is that going?
How Did We Get Here?
The EU and the US established their Privacy Shield data adequacy agreement in 2016 after a successful legal challenge to their original Safe Harbour agreement. Privacy Shield allowed US companies to self-certify with the US Department of Commerce to receive data from European companies.
Having challenged Safe Harbour, Austrian lawyer Max Schrems again challenged Privacy Shield in court, and the Court of Justice of the European Union (CJEU) invalidated it in July 2020. Since then, UK businesses wanting to exchange data with the US have had to rely on standard contractual clauses (SCCs). These agreements between companies allow for data exchange, but they require more work to implement. The UK has replaced SCCs with its International Data Transfer Agreement (ITDA), although it still allows people to use EU SCCs by applying a special UK addendum.
SCCs and ITDAs can support ad hoc bilateral data exchange between organisations, but a standard inter-governmental umbrella agreement would make things easier for businesses. So, the race has been on to establish an alternative to Privacy Shield.
Hatching a UK-US Agreement
The UK has been working on its own data adequacy arrangement with the US in parallel with the EU. It issued a joint statement on this plan with the US last August, bundling cross-border data flows together with numerous technology initiatives ranging from telecoms diversity to quantum computing.
The UK Department for Digital, Culture, Media & Sport (DCMS) goes through four stages in its data adequacy assessments with other countries: gatekeeping, assessment, recommendation and procedural. Gatekeeping is when the Ministry decides whether to begin an adequacy assessment of a nation at all. During an assessment, it gathers and interprets data on the country in question based on a standard template before making a recommendation to the secretary of state. The secretary then consults with the Information Commissioner’s Office (ICO) on whether to determine adequacy. Once past that stage, the Ministry produces legislation in Parliament.
The DCMS doesn’t offer a specific date for the completion of that process for the UK-US adequacy agreement, but it has advanced a long way. Last October, both the EU and UK adequacy negotiations with the US took a step forward when the White House issued an Executive Order on Enhancing Safeguards for United States Signals Intelligence. It vowed to establish a Data Protection Review Court that would give UK and EU individuals a way to contest any use of their data by the US authorities.
This pleased the DCMS, which issued a statement praising the US move and promising to prepare adequacy regulations for Parliament early this year. In January, UK Secretary of State for the DCMS Michelle Donelan and US state officials properly kicked things off at the inaugural meeting of the US-UK Comprehensive Dialogue on Technology & Data. The two countries agreed to finalise and implement a data bridge for US-UK data flows “in 2023”.
What Happens Next?
The US adequacy agreement isn’t the UK’s only initiative. International data flows are part of its National Data Strategy. The government is also pursuing adequacy agreements with Australia, the Republic of Korea, Singapore, the Dubai International Financial Centre and Colombia. Deals with India, Brazil, Kenya, and Indonesia are on its to-do list.
Politico reported that the EU-US TransAtlantic Data Privacy Framework agreed in October would take the EU around six months to implement. That means that we expect it sometime around next month. The UK might be aligning its legal ducks before dropping US adequacy legislation in Parliament. Still, hopefully, it won’t take much longer so that it can align with the EU’s announcement.
Until they see those details, lawyers look at the Executive Order for guidance. Noyb.eu, the non-profit privacy group that Schrems founded, has already voiced concerns about a lack of privacy protection for EU citizens in that document. The organisation has criticised it for being weaker than GDPR and leaving room for US intelligence agencies to continue bulk surveillance. This criticism suggests that legal troubles for the agreement might be ahead before it is even passed.
The UK government, which is already planning its departure from GDPR with weaker data protection rules, might not be as worried about these issues, but its opponents might be. While data takes mere milliseconds to traverse the ocean, legal and political machinations take a little longer.