The UK has used a statutory instrument to introduce new rules designed to allow the sharing of personal data between the island nation and the US in compliance with data protection law.
However, one law firm said the fate of the new arrangement could depend on the outcome of challenges to data-sharing rules established between the European Union and the US in July.
The UK government has laid adequacy regulations before Parliament without requiring further legislation, as statutory instruments allow. It said UK businesses and organizations could use the "data bridge" to the US to move personal data to certified organizations once the regulations come into force from October 12.
"Data bridge" is the UK government's term for adequacy, allowing data sharing between jurisdictions. It "describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards," the government said.
The move will be seen as a success in squaring the circle between maintaining the adequacy arrangement with the EU that is necessary for sharing data with the world's richest trading bloc since the UK decided to leave, while also giving the UK the opportunity to make its own deals.
However, Peter Church, counsel for law firm Linklaters, said much would hinge on the outcome of challenges to the EU-US Data Privacy Framework.
"The announcement by the UK government that it will extend the EU-US Data Privacy Framework to the UK is welcome and will definitely help UK businesses operating in the US or dealing with US service providers," he told The Register.
Coming into effect in July, the European Commission adopted an agreement with the US, reopening transatlantic data flows between America and Europe.
But Church said that framework was already being challenged in the EU. Earlier this month, French MEP Philippe Latombe filed two lawsuits with the EU Court of Justice hoping to overturn it. The challenge has already won support in Germany, according to reports. Lawyer and campaigner Max Schrems said he was considering legal options to challenge the arrangement.
"It is unlikely that a formal challenge to the UK extension would be made or would be successful. The EU challenge is rooted in the EU Charter of Fundamental Rights, which no longer applies in the UK, and the significant enhancements in US privacy laws... suggests that any challenge will struggle on the merits," Church said.
"Having said that, the fate of the UK extension is closely tied to the outcome of any challenge in the EU. If the EU-US Data Privacy Framework were to be invalidated by the CJEU - again - US companies might well just abandon the scheme and the UK government may have to terminate the UK extension in order to preserve the UK's adequacy status as regards the EU."
The UK adequacy status with the EU was approved in 2021, but the bloc's lawmakers are keeping the status under ongoing review. ®
Penguin emperor ponders whether kernel contributors will code across the festive season, or humbug it
AI in brief PLUS: Microsoft to invest £2.5B in UK datacenters to power AI, and more
'Unfortunately or fortunately, this is going to be a trend'
HPE Discover EMEA Company counting on widespread business adoption to counter server declines
Mixing IBM's foundation models and proprietary data to discover novel antibodies
Groups claim Federated Data Platform requires new legislation to go ahead
Expect the former in a Linux Mint point release later this year