New UK-U.S. Data Bridge and another hefty GDPR fine for TikTok

Aušra Mažutavičienė
Written by
Aušra Mažutavičienė
September 26, 2023

In this privacy news:

  1. UK Extension to the new EU-U.S. Data Privacy Framework is coming into effect this autumn. However, the EU-U.S. Data Privacy Framework, on which it is built, is already cracking.
  2. TikTok has received its biggest fine to date (and the second one in less than 6 months).

1. UK - U.S. Data Bridge is approved

On September 21, 2023 the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension) was approved. The extension creates a UK-U.S. Data Bridge, allowing UK businesses to transfer personal data to U.S. businesses certified to the UK Extension.

The term ‘data bridge’ is UK’s preferred terminology for ‘adequacy’, and describes the decision to permit the flow of personal data from the UK to another country without the need for further safeguards.

The new UK-U.S. Data Bridge will take effect on October 12, 2023. So it’s not valid as a transfer mechanism until this date.  

What does this mean for you?

From October, it will be easier also for companies in the UK to send personal data to the U.S.

However, UK companies can’t simply transfer personal data to any company in the U.S.

For the data to flow freely, the receiving U.S. company must be certified to the UK Extension and the company must be on the Data Privacy Framework (“DPF”) List.

This means that UK companies need to:

  1. Check if the company in the U.S. appears on the DPF list (search by typing in the company name in the search bar);
  2. Confirm that the company has signed up to the UK Extension (check the participation details under the same list);
  3. Make sure that the entity is listed as being “active”;
  4. If HR data will be shared - make sure that it’s covered by the description.  

However, the work doesn’t end there. UK organisations need to remember to update privacy policies, data processing agreements and document their own processing activities as necessary to reflect any changes in how they transfer personal data to the U.S, e.g RoPA (the record of processing activities). Also remember to make sure that there is a data processing agreement in place, etc.

For more details, here’s a helpful factsheet for UK organizations.

What’s next?

With the UK extension being approved, it now leaves Switzerland to issue its adequacy regulations for the DPF and data can flow safely to the U.S. again. But is it true though? And for how long?

The DPF is already being challenged.

On September 6th (not even two months after its adoption and no - not by Schrems!).  Philippe Latombe, a member of the French Parliament, filed 2 challenges; one to immediately suspend the agreement, and another on the content of the agreement.

But with the challenges on the horizon, continuing to have SCCs (EU’s standard contractual clauses) in place might be a good thing.

In light of the continuous challenges and the rapid development of the privacy landscape, it can be hard to stay on top.

If you want to keep up with ever changing rules, join us for a free Masterclass on International Data Transfers on October 04, 2023. We have great speakers joining who will take us through the key aspects of international data transfers. Find more details and sign up here.

2. TikTok is fined (again)!

Less than six months after its April 2023 fine by the UK Information Commissioner’s Office, TikTok has received yet another fine in relation to its processing of children’s personal data.

This time, the Irish Data Protection Commission has fined TikTok €345 million for failing to ensure parental approval of TikTok’s user accounts operated by children, among other reasons.

This is the largest fine to date for the platform.

What can we learn here?

It’s perhaps not surprising that large social platforms are scrutinised more closely than smaller companies. But this new fine shows the increasing focus on platforms handling data about children. And it also shows that the size of GDPR fines are increasing.

As per TikTok’s latest fine, having the default privacy settings of a child’s account set to public is a big no go. A close review of these practices would be a good exercise for any company wanting to stay on the right side of privacy law.