A new UK-US ‘data bridge’, which will allow information to flow between businesses on both sides of the Atlantic, is set to come into force next month. But it will first be scrutinised by parliament’s Regulatory Policy Committee (RPC), which today revealed it deemed an initial assessment into the impact of the regulations, carried out by the government, to be “not sufficiently robust”.
Ministers announced yesterday that the data bridge will be bolted on to the new EU-US data privacy framework, and come into effect on 12 October. An agreement between the two countries was reached over the summer after months of negotiations.
But in a statement released this morning, the Regulatory Policy Committee (RPC), an independent group of experts that scrutinise government policy plans, said it is currently looking at the impact assessment (IA) report on the data bridge provided by the Department for Science, Innovation and Technology (DSIT).
“The IA for the regulations was first submitted on 4 August for RPC scrutiny,” the statement said. “The RPC’s initial review of the IA, sent to the Department for Science, Innovation and Technology on 15 September, found that it was not sufficiently robust, and identified areas where improvements should be made. We considered that the points raised would generate a red-rated opinion, if not addressed adequately.”
The RPC did provide details of its concerns, but a red-rated opinion would mean the impact assessment is not fit for purpose and the evidence and analysis provided are not of sufficient quality. Tech Monitor has contacted the RPC for further details
The committee said it received a revised version of the IA on 20 September. “The RPC will now resume its scrutiny and provide a published opinion as soon as is possible to assist both DSIT and Parliament,” the statement added.
How the UK-US data bridge will work
The data bridge agreement will allow “UK businesses and organisations will be able to make use of this data bridge to safely and securely transfer personal data to certified organisations in the US,” a statement from DSIT said.
Businesses in both the UK and US will need to meet the requirements of the data bridge, which will include a new certification and demonstrate that they have up-to-date privacy policies.
It will come into force as an extension of the EU-US data privacy framework, a new deal that is designed to allow information to flow freely between the two continents. Divergence from EU data rules has been heralded by the government as a potential benefit of Brexit, with a replacement for GDPR set to be introduced. However, it would appear that for US data transfers, the UK is happy to follow the lead of its European counterparts.
Data transfers from Europe to the US have been the subject of much scrutiny and legal action in recent years. Two predecessors to the EU-US data privacy framework, Safe Harbour and the Privacy Shield, were quashed by the European Court because it deemed data in the US is not protected in a way that complies with Europe’s GDPR. This is because US law allows security agencies to requisition data from private companies. Privacy campaigner Max Schrems, who brought both successful lawsuits against the agreement’s predecessors, says this new attempt is no different and is likely to launch new action.
What will the UK-US data bridge mean for tech leaders?
Currently, businesses can use another data transfer method, standard contractual clauses, to transfer information to and from the US. The legality of this method under GDPR has yet to be tested in court.
The new agreement could reduce the burden on businesses, argues Joe Jones, director of research and insight at the International Association of Privacy Professionals (IAPP). Writing on the IAPP website, Jones said: “Thousands of UK organisations use – and may continue to make use of – alternative transfer mechanisms to transfer personal data from the UK to the US.
“When doing so, those organisations have been required to complete a transfer risk assessment, to consider whether, in the circumstances of the transfer and with the chosen alternative transfer mechanism, the relevant protections for people under the UK data protection regime would be undermined by the laws and practices of the third country.”
Jones said that “performing that assessment for any third country’s surveillance laws and practices has long been one of the most complex and challenging exercises for organisations”. He added: “There are good arguments to say that, from 12 October, UK organisations will no longer need to perform such assessments when it concerns US surveillance laws and practices.”