The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

Adequacy decisions – Go West, young man

28 September 2023

It is a new day for EU-US and UK-US data regulation.

In July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. This came after 18-months of negotiation following the invalidation of the Privacy Shield previously in place (see the Schrems II decision in the CJEU). The headline is that the USA, once again, provides an adequate level of protection for data processed from the EU.

The UK has now followed suit by making the Data Protection (Adequacy) (United States of America) Regulations 2023, which will come into force on 12 October. These provide an adequacy certificate for the processing of data under Part 2 of the DPA 2018 and the UK GDPR. The Information Commissioner’s opinion on this is, with four areas of concern, to provide qualified assurance to the Government.[1]

Those four areas of concern are:

  • The definition of ‘sensitive information’ under the UK Extension does not specify all the categories listed in Article 9 of the UK GDPR. Instead, the UK Extension includes a catch-all provision specifying, “…any other information received from a third party that is identified and treated by that party as sensitive.” Accordingly, UK organisations will need to identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a US certified organisation so it will be treated as sensitive information under the UK Extension. However, there is no current requirement for UK organisations to identify information as sensitive. This creates a risk that the protections may not be applied in practice.
  • For criminal offence data, the ICO understands that there may be some risks even where this is identified as sensitive because there are no equivalent protections to those set out in the UK’s Rehabilitation of Offenders Act 1974 relating to ‘spent’ criminal convictions, including the ability to request that this data is deleted, and it is not clear how these protections would apply once the information has been transferred to the USA.
  • The UK Extension does not contain a substantially similar right to the UK GDPR in protecting individuals from being subject to decisions based solely on automated processing which would produce legal effects or be similarly significant to an individual, in particular, there is no provision for the right to obtain a review of an automated decision by a human.
  • The UK Extension contains neither a substantially similar right to the UK GDPR’s right to be forgotten nor an unconditional right to withdraw consent. The control over one’s personal data afforded by the UK Extension is not as extensive as the control when those personal data are in the UK.

Adequacy Regulations for law enforcement processing have been rather slower to catch up. So far, the only jurisdiction granted an adequacy certificate for law enforcement processing under Part 3 of the DPA 2018 is the island of Guernsey by the Data Protection (Law Enforcement) (Adequacy) (Bailiwick of Guernsey) Regulations 2023, which came into force on 28 July. The Government has announced it is also working on equivalent legislation for the Isle of Man and the Bailiwick of Jersey, which will be completed “in the near future”.

The lack of urgency for this is probably due to the fact that the transitional provisions in paragraphs 10 and 11 in Schedule 21 of the DPA 2018 permitted law enforcement processing to, among other places, the Crown Dependencies.

The adequacy decisions for the USA is obviously of enormous importance to anyone who wants to do business with companies or individuals in America – and, rumour has it, the USA is moderately important when it comes to global business. While the new decisions will no doubt be challenged, the fact that a new framework has been put in place will likely be welcomed by business.

[1] https://ico.org.uk/about-the-ico/what-we-do/information-commissioners-opinions-on-adequacy/the-uk-government-s-assessment-of-adequacy-for-the-uk-extension-to-the-eu-us-data-privacy-framework/ 

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Portfolio
Title Type CV Email

Remove All

Download


Click here to share this shortlist.
(It will expire after 30 days.)