Carding 4 Carders
Professional
The British regulator has expressed concerns about the privacy of data that ends up in the United States.
On October 12, the UK's addition to the agreement on the creation of a "data bridge" between the UK and the United States (EU-US Data Privacy Framework, DPF, Data Bridge) will come into force, which will allow certified organizations to easily transfer personal data from the UK to the United States.
Prior to this agreement, the transfer of personal data across the Atlantic was prohibited under the UK General Data Protection Regulation (GDPR) without using transfer mechanisms such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
In July, the European Commission decided that the DPF ensures an adequate level of protection of personal data when transferring them between the EU and the United States. The DPF was created as a replacement for the previous agreement, the EU-US Privacy Shield, which was declared invalid in 2020.
Since the UK is no longer a member of the European Union from 2020, the DPF does not automatically transfer personal data from the UK to the US. A data bridge has been created for the transfer of personal data from the UK, which will simplify the process of data transfer between the two countries, while complying with data protection requirements.
In order for UK data exporters to rely on Data Bridge, a US importer must pass Data Bridge certification. The personal data transferred must be processed in accordance with DPF principles once it is received by the data importer in the United States.
However, the British regulator Information Commissioner's Office (ICO) expressed doubts about the Data Bridge.
It remains only to see how the Data Bridge will function in practice, especially given the concerns expressed by the ICO. Such an innovation is likely to attract the attention of many data protection companies and experts seeking a smoother and more legitimate data flow between the UK and the US.
On October 12, the UK's addition to the agreement on the creation of a "data bridge" between the UK and the United States (EU-US Data Privacy Framework, DPF, Data Bridge) will come into force, which will allow certified organizations to easily transfer personal data from the UK to the United States.
Prior to this agreement, the transfer of personal data across the Atlantic was prohibited under the UK General Data Protection Regulation (GDPR) without using transfer mechanisms such as Standard Contractual Clauses (SCC) or Binding Corporate Rules (BCR).
In July, the European Commission decided that the DPF ensures an adequate level of protection of personal data when transferring them between the EU and the United States. The DPF was created as a replacement for the previous agreement, the EU-US Privacy Shield, which was declared invalid in 2020.
Since the UK is no longer a member of the European Union from 2020, the DPF does not automatically transfer personal data from the UK to the US. A data bridge has been created for the transfer of personal data from the UK, which will simplify the process of data transfer between the two countries, while complying with data protection requirements.
In order for UK data exporters to rely on Data Bridge, a US importer must pass Data Bridge certification. The personal data transferred must be processed in accordance with DPF principles once it is received by the data importer in the United States.
However, the British regulator Information Commissioner's Office (ICO) expressed doubts about the Data Bridge.
- Insufficient protection of sensitive data: The definition of" sensitive data " in the bridge differs from the definition in the UK GDPR. The DPF does not include all the special categories of personal data defined in the GDPR, such as biometric data, genetic data, sexual orientation data, and criminal data. This may result in the specified categories of data not being properly protected when transferred to the United States.
- Lack of adequate protection of criminal records: The United States lacks protection comparable to that of the United Kingdom's Rehabilitation of Offenders Act of 1974, which restricts the use of criminal records after they are cleared. It is unclear how these protections will apply to information transmitted in the United States.
- Reduction of privacy rights: The bridge does not have a significantly similar right to protection from decisions based solely on automated processing, which may have legal or similar consequences for the data subject, similar to the British GDPR. There is also no similar "right to be forgotten" or the ability to withdraw consent, which limits the control of data subjects over their personal information.
- Insufficient safeguards to protect the rights of data subjects when making decisions based on automated processing: Data Bridge does not provide for the right to review an automated decision by a person, which may lead to a violation of the rights of data subjects if decisions are made based solely on automated processing.
- Insufficient control over personal data: The rights granted by the bridge are not as extensive as those granted by the UK GDPR, which may reduce the control of data subjects over their personal information, especially with regard to revocation of consent and the right to be forgotten.
- Specific requirements for data transfers from the UK: Companies that cannot use the data bridge may need to rely on other mechanisms, such as SCCs or BCRs. This may require additional efforts and resources to ensure compliance with the UK GDPR.
- Changes to the use of Standard Contract Terms( SCCS): UK data exporters should be aware that EU SCCS can no longer be used for new UK data transfer agreements. Either an addition to the EU SCC is required, or the use of an International Data Transfer Agreement (IDTA) is required, which can create additional problems and require additional resources.
It remains only to see how the Data Bridge will function in practice, especially given the concerns expressed by the ICO. Such an innovation is likely to attract the attention of many data protection companies and experts seeking a smoother and more legitimate data flow between the UK and the US.
