What does the UK-US data bridge mean for transfers of personal data to the US?
The UK has made a new adequacy decision, allowing UK organisations to freely transfer personal data to US organisations that are signed up to the ‘UK-US Data Bridge’ from 12 October 2023.
All UK businesses must comply with international data transfer law rules when transferring personal data to countries outside of the UK. Historically, transferring personal data to the US has been challenging under both European and UK data protection laws. This is because US law enforcement authorities have had unrestricted ability to access data, and this has been a big concern from a data privacy perspective. Attempts to create safe data transfer mechanisms have failed previously.
Now, however, the new UK-US Data Bridge arrangement will allow organiations to transfer to personal data to the US without needing to put in place additional safeguards. This is welcome news for UK businesses. This article will explore what the UK-US Data Bridge is and what it will mean for businesses.
This is a new development, and this note covers the key points for you to know now. For detailed advice on this topic and its practical use, please speak to our expert data protection solicitors, and we’ll guide you through the most appropriate data transfer safeguards for your business.
Contents:
The background to transferring data compliantly
International data transfers can be very difficult from a data protection law compliance perspective.
The UK General Data Protection Regulation (UK GDPR) requires that organisations must ensure that personal data is adequately protected when it is transferred outside of the UK. Countries outside of the UK (such as the US) are deemed ‘third countries’ and international data transfer law rules apply when transferring personal data to them. The UK GDPR requires recipients of personal data who are based outside of the UK to protect the personal data of UK residents.
If an ‘adequacy decision’ is granted by the UK, it means that personal data can freely be sent to a third country, as the UK deems that that country affords the same level of protection to personal data as is afforded to it in the UK.
Without an adequacy decision, organisations need to put in place ‘additional safeguards’ in order to transfer personal data to third countries, such as the commonly used ‘Standard Contractual Clauses’ or the UK ‘International Data Transfer Agreement’. See our article on the IDTA and UK addendum, for more information.
From 12 October 2023, the UK has made a partial finding of adequacy in respect of US organisations who are certified with the UK-US Data Bridge arrangement.
What is the EU-US Data Privacy Framework?
We discussed the news of the European’s Commission’s adequacy decision for the EU-US Data Privacy Framework (the DPF) in July 2023.
The European Commission adopted an adequacy decision for the DPF on 10 July 2023, which replaced the prior EU-U.S. Privacy Shield, (declared invalid by the Court of Justice of the European Union in the Schrems II decision of July 2020).
The DPF is an opt-in certification scheme for US organisations and is enforced by the Federal Trade Commission and Department of Transportation, administered by the Department of Commerce. The DPF includes various enforceable principles and requirements which certifying organisation must comply with (including a requirement to commit to data protection assurances) to be a part of it. Its principles include commitments to data protection and set out how organisations should use, collect and disclose personal data.
European organisations can transfer personal data from the EU to US organisations self-certifying to the DPF, without needing to implement additional data protection safeguard measures. This is because the new DPF is now considered to provide ‘adequate protection’ for personal data flows.
What is the UK-US Data Bridge?
Post Brexit, the DPF does not allow for the transfer of personal data from the UK to the US.
However, the UK government have announced the new ‘UK-US Data Bridge’ which essentially is an extension to the EU-US DPF. The adequacy regulations and documents can be found on the .gov website.
The purpose of the the UK-US Data Bridge is to ensure that high standards of protection of personal data are upheld when data is sent to the US.
What this means is US businesses which self-certify under the DPF can now opt-in to a ‘UK extension’ meaning UK organisations can transfer personal data to them freely. The Data Bridge means that the UK has deemed that personal data can be exported to the US freely, without needing to put additional measures in place.
Some key points to note about the UK-US Data Bridge works are as follows:
- From 12 October 2023 onwards, businesses in the UK can begin to transfer personal data to US organisations which are certified to the ‘UK Extension to the EU-US Data Privacy Framework’. UK data exporters will only be able to rely on the new UK-US Data Bridge if the US organisations they plan to send personal data to are self-certified to both the DPF and the UK-US Data Bridge. UK organisations who want to transfer personal data to the US will need to check if the relevant US organisation is certified under the UK extension to the DPF. If so, the transfer of personal data to those organisations can proceed freely.
- By using this international data transfer mechanism, UK businesses will not need to put in place extra safeguards (such as the UK International Data Transfer Agreement).
- If the US recipient doesn’t participate in the DPF, the UK company sending personal data to them must use another existing appropriate safeguard to send them personal data. For example, the International Data Transfer Agreement, or the UK’s Addendum to the EU Standard Contractual Clauses (or another lawful derogation under the UK GDPR which allows for the transfer of personal data to the US).
- However, it is important to note that the UK-US Data Bridge will not be appropriate for all data transfers to the US. For example, the UK-US Data Bridge is unlikely to be suitable for sharing special category personal data to US organisations.
What should UK businesses do now?
This is a complex and new topic, but here are some key issues for businesses to consider if they wish to rely on the UK-US Data Bridge:
- UK organisations should consider updating their existing privacy policies to mention reliance on the UK-US Data Bridge and how they will transfer personal data to the US.
- UK organisations should update their data processing activities records, to reflect any changes in how they transfer personal data to the US.
- UK organisations should ensure they properly check that all necessary requirements are met before relying on the UK-US Data Bridge. This will include carefully checking whether US businesses are certified to the UK extension to the DPF. They will also need to check if the UK-US Data Bridge is the correct mechanism for their data transfer, depending on what types of personal data they wish to send to the US.
- It is still important for UK businesses to carry out due diligence on all US based organisations with whom personal data will be shared, regardless of the transfer mechanism used. This is a requirement under the UK GDPR.
In practice, it is hoped that the new UK-US Data Bridge will mean that transfers of personal data to the US will now be much easier. The DPF has however, already faced challenges with organisations trying to bring it down.
As such, for belt and braces, some organiations may wish to continue using other international data transfer mechanisms for the transfer of personal data to the US (such as the UK International Data Transfer Agreement).
Significantly, the UK ICO (the data protection regulator) has provided an opinion observing potential risks around the use of the UK-US Data Bridge. It is likely that some categories of data cannot be transferred under the Data Bridge (e.g. criminal offence data or some special categories of data).
Given the complexity and how new these developments are, it’s important to take legal advice on the next steps for your business and what you should do to ensure that your transatlantic data transfers are compliant with the UK GPDR rules.
Conclusion
In summary, the new UK-US Data Bridge will be welcome news for organisations in the UK who transfer personal data to the US.
The UK-US Data Bridge is likely to help reduce costs for businesses and give them peace of mind around their international data transfer mechanisms, given the historical problems associated with transferring personal data to the US and the time and costs required to carry out detailed transfer risk assessments and put in place contracts with US organisations.
However, there are various steps which businesses will need to take to rely upon the UK-US Data Bridge for US data transfers. Businesses should continue to monitor developments in this space and seek advice if they are unsure about their obligations.
Please note that this is a fast-developing area and the feedback in this guide is accurate as at October 2023. However, we expect further updates to follow around the precise mechanisms of the UK-US Data Bridge. This is a complex and important topic for businesses, so please contact us if you would like legal advice on the UK-US Data Bridge or on any aspects of UK GDPR compliance.