The UK-US Data Bridge
The UK-US data bridge was recently introduced as an extension to the EU-US Data Privacy Framework (“DPF”). The data bridge is designed to promote business between the UK and the US by facilitating the free flow of personal data between the two countries. With this in place, UK businesses will not have to put in place the typical safeguards such as the Standard Contractual Clauses or perform a transfer risk assessment.
The UK-US data bridge follows the European Commission’s adoption of an adequacy decision in respect of the DPF in July 2023 which ensures that data transferred to the US is done so in a way that complies with EU data protection laws. US businesses may certify themselves with the DPF thereby committing to comply with certain GDPR-style privacy obligations on an opt-in basis.
At the same time as the DPF coming into force, the UK government indicated that it was working towards a similar framework that would allow transfers to be made from the UK to certified US businesses under the UK GDPR. The regulations (the Data Protection (Adequacy) (United States of America) Regulations 2023) stated that under the UK GDPR and the Data Protection Act 2018, the US is an adequate country for the purposes of data transfers from the UK provided:
(i) the transfer is to a US business certified under the UK Extension to the DPF; and
(ii) the recipient complies with its obligations under the DPF.
It is worth noting that only US businesses subject to the jurisdiction of the US Federal Trade Commission or Department of Transportation may certify themselves with the DPF meaning that businesses within the banking, telecoms and insurance sectors (which are not subject to these regulators) cannot opt-in to the DPF extension.
The UK-US data bridge should reduce administrative costs and the time needed to agree and implement data transfers to the US. It should assure data subjects that their data transferred to the US will be protected in line with the requirements in their home country. More broadly, extending the DPF reduces the risk of the UK moving away from the EU’s equivalency expectations. However, organisations should be aware that there are likely to be challenges to the DPF which may have consequences in respect of the UK-US data bridge. As a result, the validity of the data bridge could be affected and therefore businesses should still consider agreeing Standard Contractual Clauses to its important contacts (at the very least) as a fallback should any changes to the DPF occur.
Further, UK businesses should be particularly wary of the type of data being transferred. This is because the DPF definition of special category data is narrower than the definition under Article 9(1) of the UK GDP as it does not include genetic data, biometric data or data concerning sexual orientation as ‘sensitive information’.
Organisations transferring personal data from the UK to the US should now make the following checks:
– is the organisation registered for the DPF;
– confirm that the organisation has also signed up to the UK Extension;
– confirm that the categories of data being transferred are covered; and
– review the US organisation’s privacy policies.
Additionally, UK organisations should update their privacy policies and records of processing activities to reflect any changes in how they transfer personal data to the US.
Should you have any queries regarding the data bridge or, the transfer of personal data outside of the UK, please get in touch with our Commercial team who would be happy to assist.