Data bridge over troubled water: agreement in principle to extend EU-US Privacy Shield 2.0

On 8 June 2023, UK and US government officials announced that they had “committed in principle” to establishing a data bridge that would operate as a UK-specific extension to new data privacy framework agreement that is currently being negotiated between the US and the EU (the Privacy Shield 2.0). This agreement in principle is contingent on the UK’s assessment of US privacy laws, the final Privacy Shield 2.0, and the US’ designation of the UK as a qualifying state under Executive Order 14086.

Under the EU GDPR and the UK GDPR, transfers of personal data from the EU or the UK to a country outside the EEA or UK can only be conducted in accordance with an international transfer mechanism and appropriate safeguards. If the third country does not, in the opinion of the European Commission or UK Secretary of State, have an equivalent standard of data protection (an adequacy decision), organisations must ensure that "appropriate safeguards" pursuant to Article 46 EU GDPR and UK GDPR are in place, for example, standard contractual clauses or an international data transfer agreement.

In 2020, Schrems II struck down the US’ adequacy decision for the first Privacy Shield (the Original Privacy Shield), given concerns about the US government’s surveillance powers. Since 2020, any transfers of personal data from the EU and the UK to the US have been restricted under the EU and UK GDPR (respectively) and are only permitted where “appropriate safeguards" are in place. This decision has led to some notable fines, in particular and most recently, the fine against Meta in May of this year (which we covered in a previous article).

The EU and the US have been negotiating the Privacy Shield 2.0 to offer more robust protection for the personal data of EU-based data subjects when transferred to the US. The European Commission has signalled its intention to adopt an adequacy decision in respect of the Privacy Shield 2.0, provided the framework meets its privacy concerns. The UK has been having equivalent discussions, and as of 8 June, have agreed to extend the Privacy Shield 2.0 to the UK. The Privacy Shield 2.0 and the data bridge are not a carte blanche to transfer personal data to the US however, US-based organisations will have to self-certify and sign up to the Privacy Shield 2.0.

The aim of the Privacy Shield 2.0 is to simplify the transfer of personal data to the US and make it more cost-effective for EU businesses. The data bridge aims to have the same effect, but in respect of the personal data of UK-based data subjects.

While there is no certainty as to when the Privacy Shield 2.0 and the data bridge might come into effect (assuming they are approved as expected), it is hoped that they will be in force by the end of 2023. This prospect will be welcomed by businesses in the EU and UK which routinely send personal data to the US, particularly those re-examining their transfer mechanisms and safeguards following the Meta fine. Until then, UK businesses wishing to transfer personal data of data subjects to the US must continue to implement appropriate safeguards, such as the ICO’s approved international data transfer agreement.