UK-US Data Bridge

UK-US Data Bridge: The wait is over

On 21^st September 2023, the UK Secretary of State laid the regulation in Parliament to establish the UK-US Data Bridge (The Data Protection (Adequacy) (United States of America) Regulations 2023) (the “Data Bridge”). The Data Bridge follows commitments made by both countries to establish the UK Extension to the Data Privacy Framework.

In this article, we take a deeper dive into what this means for UK organisations wishing to transfer personal data to the US.

What is the UK-US Data Bridge?

Under the Data Protection Act 2018, the Secretary of State has the power to create a ‘data bridge’ to allow the safe transfer of personal data from the UK to a third country without additional safeguards where that country provides the same level of protection for personal data as under the UK GDPR i.e. ‘adequacy’. The UK-US Data Bridge is an adequacy regulation allowing transfers of personal data from the UK to US organisations that have signed up to the UK Extension to the EU-US DPF (“DPF Extension”).

Why does the UK need a UK-US Data Bridge?

Previously, when the UK was a member of the EU, there were two adequacy decisions between the EU and the US (the Safe Harbour Privacy Framework and EU-US Privacy Shield) which the UK relied upon to transfer personal data to the US without additional safeguards. However, both adequacy decisions were invalidated by the Court of Justice of the European Union (“CJEU”) decisions in 2015 and 2020 (also known as Schrems I and Schrems II, respectively). Following Brexit, the situation between the UK and the US regarding the free flow of personal data remained unchanged – the US was still deemed as not providing the same level of protection for personal data as under the UK GDPR.

On 10^th July 2023, the European Commission granted an adequacy decision for the US under the EU-US Data Privacy Framework (“EU-US DPF”), recognising the US as providing an adequate level of protection for personal data. This means personal data can now freely flow from the EU to US organisations that sign up for the EU-US DPF, without the need for additional safeguards. You can read more about the EU-US DPF and what it could mean for your organisation.

However, as the UK is no longer part of the EU, the EU-US DPF did not change the situation for the UK; a separate arrangement was needed between the UK and the US to facilitate the free flow of data again.

In June this year, President Biden and Prime Minister Sunak made a commitment in principle to extend the EU-US DPF to the UK, subject to the UK data bridge assessment. After assessing the UK Extension to the EU-US DPF, the Secretary of State made the decision to establish the data bridge. The agreement needed between both countries is now finalised, and the UK-US Data Bridge will become effective from the 12^{th of} October 2023.

What should UK organisations do now?

As the DPF Extension only applies to US organisations that have certified to the scheme and there are important differences regarding the definitions of special categories and sensitive data, UK organisations wishing to rely on the DPF Extension should:

1. Check the DPF list to confirm that the US organisation you wish to send personal data to is an active participant in the scheme. Remember to check which scheme the organisation is signed up to; the EU-US DPF only covers EU-to-US transfers and the DPF Extension only covers UK-to-US transfers;
2. Review the DPF program record to gain further information about the relevant US organisation such as their privacy policy and dispute resolution contact details;
3. Ensure that any special category and sensitive data you are sending is marked as such so that they are afforded appropriate treatment by the US organisation;
4. Check which type of data the US organisation is covered to receive, which could be HR data, non-HR data or both. This is also indicated within the organisation’s DPF program record,
5. Review your documents that include references to international transfer mechanisms (e.g. privacy notices and data processing agreements) and update them to reference this new framework.

What happens if a US organisation is not signed up to the DPF Extension

If a UK organisation is transferring personal data to a US organisation that is not signed up to the DPF Extension, the UK organisation cannot rely on the DPF Extension to make the transfer. In such situations, the UK organisation will need to revert to an alternative safeguard, such as the International Data Transfer Agreement. Also, under such circumstances, the organisation transferring the data from the UK to the US will need to conduct a Transfer Risk Assessment.

What does the future hold for the UK-US Data Bridge?

As part of its requirement to monitor data bridges, the UK government will continue to monitor the DPF, to ensure it continues to provide the level of protection for personal data as prescribed under the UK GDPR.

The EU-US DPF has already faced criticisms, most notably from privacy activist, Max Schrems. In particular, he highlights that Executive Order 14086 and the Data Protection Review Court only made slight improvements to the arrangement under Privacy Shield and have not gone far enough to address the concerns that were raised in the Schrems II case.

Whilst the UK Government is no longer bound by the decisions of the CJEU, any future decisions regarding the DPF will be hugely influential in its review of the DPF Extension, and so arguably, the future remains uncertain for the transfer of personal data across both sides of the Atlantic.

Do you need guidance on international data transfers?

Should you need any assistance in relation to international transfers of personal data or would like to discuss the DPF, please get in touch, we would be glad to help.