UK-US Data Bridge – The UK bridges the gap for US data transfers

On 12^th October 2023, the UK-US Data Bridge came into force. This means there is now a mechanism for businesses to transfer data from the UK to the US without complying with additional contractual safeguards. However, as there is a risk that the DPF will face a legal challenge in the future businesses should also consider having in place other mechanisms to future proof data transfers.

What is the Data Bridge?

The UK Government approved "adequacy" regulations relating to the US, which will allow UK businesses to securely transfer personal data to the certified organisations in the US, in compliance with the UK GDPR, without the need to implement additional contractual safeguards

These adequacy regulations (the "Data Bridge") were approved on 21 September 2023 and will came into full force on 12^th October 2023.

How the Data Bridge works

The UK-US Data Bridge is an extension to the EU-US Data Privacy Framework, ("DPF") which is a bespoke, opt-in certification scheme for US based organisations.

The DPF, which replaces the previous Privacy Shield framework, incudes a set of enforceable principles and requirements that must be certified to, and complied with, in order for US organisations to be able to join the DPF. These requirements broadly mirror requirements which are imposed on UK and EU organisations under the UK GDPR and EU GDPR.

For an organisation in the US to participate in the DPF and Data Bridge they must "self-certify" via the DPF website and publicly commit to comply with the DPF principles – this includes stating in its website privacy policy that it is complying with the DPF principles. In turn, the DPF website maintains a register of all certified organisations which is searchable, making it simple to check whether an organisation is, in fact, certified. If the relevant organisation is not listed on the DPF website, it is not certified. The DPF website also allows US organisations to indicate whether they are seeking to receive HR personal data – if that has not been indicated, HR data should not be shared with the relevant organisation under the Data Bridge.

It is important to note that, whilst the DPF website is a very good indication as to whether an organisation is certified, it is not necessarily definitive and therefore should not be taken at face value. There are additional, publicly facing obligations that participating organisations must comply with, therefore it is always worth double checking the relevant organisation's website to ensure that they are complying with these, before instigating any transfer of personal data.

Key exclusions

At present some categories of data are excluded from being transferred under the Data Bridge, as they are under the DPF, this primarily includes journalistic data. However, sensitive data (including criminal data) must be specifically identified to the US organisation in order to be transferred and that organisation must have additional protections in place for the sensitive data.

Additionally, only US organisations which are under the jurisdiction of the US Federal Trade Commission (FTC), or US Department of Transportation (DoT) are currently eligible to participate in the DPF and Data Bridge programmes. Any US organisation which sits outside of these departments is not currently covered by the Data Bridge – this incudes sectors such as telecommunications, insurance and banking.

If the data being transferred, or the organisation to which it is being transferred, is not covered under the Data Bridge, then that transfer will need to be subject to additional contractual safeguards (i.e. UK IDTA or EU SCCs with IDTA Addendum) in order to be transferred in accordance with the requirements of the UK GDPR.

What should businesses do now?

Where a business is transferring personal data from the UK to the US, or if they are planning to transfer personal data, the arrangements in place for such transfer can be reviewed to identify whether they are covered by the Data Bridge. In order to do so, businesses will need to check:

• Whether the US organisation is participating in the DPF and Data Bridge
  • This can be done by searching the DPF website (available here)
• Whether the US organisation's privacy policy includes the necessary information
  • This should be included on the organisation's website privacy policy
• Whether the personal data being transferred is covered by the Data Bridge
  • As indicated above, certain categories of personal data are excluded from transfer under the Data Bridge

Provided the personal data is not excluded and the US organisation is certified, from 12^th October 2023 that transfer will be covered by the Data Bridge and therefore will not need to be subject to any additional contractual safeguards.

Legal challenges

Whilst the Data Bridge and DPF have been approved by the respective legislative bodies, there are still concerns about the strength of the frameworks which have led to legal challenges (as with the Safe Harbour and Privacy Shield). These challenges are primarily focussed on the DPF and will likely take months for any decision to be made, however it is possible that the DPF will be invalidated by the EC, if the arguments against it are successful.

If that were to be the case, it is possible that the Data Bridge will fall as well (particularly as the ICO has already noted that it will be kept under constant review), although the true repercussions are not currently clear.

For the time being the DPF and Data Bridge are valid, however it would be sensible to consider ensuring that any contracts for the transfer or personal are suitably future proofed, should these challenges succeed.