US companies can start using a new mechanism to digitally transfer consumers’ personal data from the United Kingdom without taking extra protective steps as a revamped compliance framework takes effect on Thursday.

Eligible companies hoping to use the international data bridge—updated to address concerns about the breadth of US intelligence agencies’ surveillance—will have to self-certify adherence to a set of privacy protections consistent with the European Union’s landmark 2016 data privacy law. The pact, the UK Extension to the EU-US Data Privacy Framework, follows an executive order from President Joe Biden that strengthened privacy protections surrounding intelligence-gathering and will enable participating US companies to bring UK citizens’ data stateside.

The data flow agreement provides a more efficient way to transfer data, assigns federal regulators new oversight responsibilities, and defines the limits placed on US government surveillance. It builds on the protections from the previous trans-Atlantic data-sharing Privacy Shield that a European court invalidated in 2020 citing to US surveillance deemed as invading European individuals’ privacy in violation of the defining General Data Protection Regulation.

Any of the 2,500-plus US companies already participating in the renewed EU framework program are eligible to certify for the UK extension. Both are designed to streamline how US businesses comply with European privacy rights established in GDPR.

The UK extension offers a “significant legal benefit” over alternative forms of data sharing with the country, like contractual clauses, according to Brian Hengesbaugh, who helped develop the EU-US Safe Harbor—the Privacy Shield’s predecessor data-sharing mechanism—when he served as special counsel to the Department of Commerce.

Companies using the framework can relieve the “administrative burden” of developing standard contractual clauses for every international data transfer, said Hengesbaugh, now the chair of Baker & McKenzie LLP’s global data privacy practice. He added that participating in the data bridge can also demonstrate “that you take European privacy compliance seriously,” and allow companies to benefit from an increased understanding of what European privacy rules to follow.

Framework participants aren’t required to create case-by-case impact reports assessing the risks of transferring personal data for each new contractual agreement. Businesses that don’t participate in the framework and still rely on standard contractual clauses to ensure European privacy compliance, however, still have to take the extra step of conducting individual impact assessments.

More than 800 companies, including Alphabet Inc.‘s Google and Microsoft Corp., have already certified for the UK framework extension, which is enforced by the Federal Trade Commission and US Transportation Department.

Businesses in the banking, insurance, telecommunications, and other sectors not regulated by the FTC or the Transportation Department aren’t currently eligible to participate in the EU-US framework or the UK extension.

Contracts, Oversight

Companies transferring personal data under the EU-US framework are limited to collecting and storing it only for the purposes for which it was initially collected. Businesses that want to use information for another reason or to share it with a third party must first give individuals a chance to opt out.

That requirement offers some protection should companies face legal liability over their data-sharing practices, said Dona Fraser, the senior vice president of privacy initiatives at BBB National Programs, an industry self-regulation nonprofit.

“What we hear from companies most is that they feel like the contractual clauses address their issues with their third-party vendors, but not this specific issue that they need to address with the consumer-facing side,” Fraser said.

The framework serves as an accountability program businesses can cite as proof of their data protection efforts should they ever face privacy complaints or litigation, Fraser said.

Europeans who believe a business isn’t complying with the framework’s principles can file complaints with the US agencies, which in turn can investigate and seek court orders or administer civil penalties.

Participating companies should avoid treating the framework as a “check-the-box exercise” to preempt compliance investigations, said Odia Kagan, chair of GDPR compliance and international privacy at Fox Rothschild LLP. They should instead make sure that their privacy notices and third-party agreements are updated from the requirements of the last framework, she said.

“The FTC is going to be enforcing, they’re gonna be doing spot checks, and when they do, they’re going to be looking for different things and a higher standard than they did eight years ago,” Kagan said.

The US Justice Department is also stepping up its regulatory oversight as part of the framework, establishing a Data Protection Review Court to review investigations of complaints regarding improper government surveillance.

Viability Questions

The latest European data privacy framework is already facing a legal challenge from Philippe Latombe, a member of France’s Parliament who has asked the EU’s General Court to suspend the agreement over concerns it still doesn’t adequately protect individual privacy.

Max Schrems, the honorary chairman of the European Center for Digital Rights whose legal challenge successfully suspended the Safe Harbor, has also been vocal about his plans to challenge the new framework.

The anticipated challenges to the framework have made some companies apprehensive about participating, wondering whether it is “really worth the time” if it also runs the risk of invalidation, Hengesbaugh of Baker & McKenzie said.

But a legal challenge could take years, and most businesses would benefit from engaging in trans-Atlantic data transfers in the interim, he said.

Fraser agreed, saying companies shouldn’t be deterred and should instead take the opportunity to “rote test” the framework while legal challenges unfold.

Skeptics have also expressed concern that the privacy agreements reached under the framework, as they relate to US government surveillance, are bound only by a presidential executive order that could be easily revoked or changed.

Although the order doesn’t have the status of a law that can be undone only by an act of Congress, former DOJ prosecutor and current Perkins Coie LLP partner David Aaron said he doesn’t expect a future administration to nullify it given its foundational nature in the intelligence community.

“Trans-Atlantic data transfer is essential to commerce,” Aaron said. “Any obstacle to data transfer substantially impedes commerce, which also impedes relationships across the Atlantic, so working through this by gaining trust and facilitating commerce becomes very important for businesses on both sides of the Atlantic.”