Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
It is a new day for EU-US and UK-US data regulation.
In July 2023, the European Commission adopted its adequacy decision for the EU-US Data Privacy Framework. This came after 18-months of negotiation following the invalidation of the Privacy Shield previously in place (see the Schrems II decision in the CJEU). The headline is that the USA, once again, provides an adequate level of protection for data processed from the EU.
The UK has now followed suit by making the Data Protection (Adequacy) (United States of America) Regulations 2023, which will come into force on 12 October. These provide an adequacy certificate for the processing of data under Part 2 of the DPA 2018 and the UK GDPR. The Information Commissioner’s opinion on this is, with four areas of concern, to provide qualified assurance to the Government.[1]
Those four areas of concern are:
Adequacy Regulations for law enforcement processing have been rather slower to catch up. So far, the only jurisdiction granted an adequacy certificate for law enforcement processing under Part 3 of the DPA 2018 is the island of Guernsey by the Data Protection (Law Enforcement) (Adequacy) (Bailiwick of Guernsey) Regulations 2023, which came into force on 28 July. The Government has announced it is also working on equivalent legislation for the Isle of Man and the Bailiwick of Jersey, which will be completed “in the near future”.
The lack of urgency for this is probably due to the fact that the transitional provisions in paragraphs 10 and 11 in Schedule 21 of the DPA 2018 permitted law enforcement processing to, among other places, the Crown Dependencies.
The adequacy decisions for the USA is obviously of enormous importance to anyone who wants to do business with companies or individuals in America – and, rumour has it, the USA is moderately important when it comes to global business. While the new decisions will no doubt be challenged, the fact that a new framework has been put in place will likely be welcomed by business.
[1] https://ico.org.uk/about-the-ico/what-we-do/information-commissioners-opinions-on-adequacy/the-uk-government-s-assessment-of-adequacy-for-the-uk-extension-to-the-eu-us-data-privacy-framework/
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.