Head of Technology | Data, Privacy & Information Security | International
This website will offer limited functionality in this browser. We only support the recent versions of major browsers like Chrome, Firefox, Safari, and Edge.
On 12th October 2023, the UK-US Data Bridge came into force. This means there is now a mechanism for businesses to transfer data from the UK to the US without complying with additional contractual safeguards. However, as there is a risk that the DPF will face a legal challenge in the future businesses should also consider having in place other mechanisms to future proof data transfers.
The UK Government approved "adequacy" regulations relating to the US, which will allow UK businesses to securely transfer personal data to the certified organisations in the US, in compliance with the UK GDPR, without the need to implement additional contractual safeguards
These adequacy regulations (the "Data Bridge") were approved on 21 September 2023 and will came into full force on 12th October 2023.
The UK-US Data Bridge is an extension to the EU-US Data Privacy Framework, ("DPF") which is a bespoke, opt-in certification scheme for US based organisations.
The DPF, which replaces the previous Privacy Shield framework, incudes a set of enforceable principles and requirements that must be certified to, and complied with, in order for US organisations to be able to join the DPF. These requirements broadly mirror requirements which are imposed on UK and EU organisations under the UK GDPR and EU GDPR.
It is important to note that, whilst the DPF website is a very good indication as to whether an organisation is certified, it is not necessarily definitive and therefore should not be taken at face value. There are additional, publicly facing obligations that participating organisations must comply with, therefore it is always worth double checking the relevant organisation's website to ensure that they are complying with these, before instigating any transfer of personal data.
At present some categories of data are excluded from being transferred under the Data Bridge, as they are under the DPF, this primarily includes journalistic data. However, sensitive data (including criminal data) must be specifically identified to the US organisation in order to be transferred and that organisation must have additional protections in place for the sensitive data.
Additionally, only US organisations which are under the jurisdiction of the US Federal Trade Commission (FTC), or US Department of Transportation (DoT) are currently eligible to participate in the DPF and Data Bridge programmes. Any US organisation which sits outside of these departments is not currently covered by the Data Bridge – this incudes sectors such as telecommunications, insurance and banking.
If the data being transferred, or the organisation to which it is being transferred, is not covered under the Data Bridge, then that transfer will need to be subject to additional contractual safeguards (i.e. UK IDTA or EU SCCs with IDTA Addendum) in order to be transferred in accordance with the requirements of the UK GDPR.
Where a business is transferring personal data from the UK to the US, or if they are planning to transfer personal data, the arrangements in place for such transfer can be reviewed to identify whether they are covered by the Data Bridge. In order to do so, businesses will need to check:
Provided the personal data is not excluded and the US organisation is certified, from 12th October 2023 that transfer will be covered by the Data Bridge and therefore will not need to be subject to any additional contractual safeguards.
Whilst the Data Bridge and DPF have been approved by the respective legislative bodies, there are still concerns about the strength of the frameworks which have led to legal challenges (as with the Safe Harbour and Privacy Shield). These challenges are primarily focussed on the DPF and will likely take months for any decision to be made, however it is possible that the DPF will be invalidated by the EC, if the arguments against it are successful.
If that were to be the case, it is possible that the Data Bridge will fall as well (particularly as the ICO has already noted that it will be kept under constant review), although the true repercussions are not currently clear.
For the time being the DPF and Data Bridge are valid, however it would be sensible to consider ensuring that any contracts for the transfer or personal are suitably future proofed, should these challenges succeed.