New data bridge to allow for UK-US data transfers
How will the recently approved data bridge impact transfers of personal data from the UK to the US?
The key takeaway
The new data bridge, an extension to the EU-US Data Privacy Framework (the DPF), will allow UK businesses to transfer personal data to certified US organisations without needing to put in place the typical safeguards (eg Standard Contractual Clauses) or performing a transfer risk assessment.
On 10 July 2023, the European Commission adopted an adequacy decision in respect of the DPF. US businesses may certify themselves with the DPF thereby committing to comply with certain GDPR-style privacy obligations (eg purpose limitation and data minimisation). Transfers from the EU to these US businesses may then be freely carried out without the need to establish safeguards like the EU Standard Contractual Clauses or carry out a transfer impact assessment. EU data subjects may obtain redress in the US for any non-compliant use of their personal data by national intelligence agencies through a new Data Protection Review Court. See previous coverage on this in our Summer Snapshots.
At the same time as this decision, the UK Government had indicated that it was working towards a data bridge that would “piggyback” on the DPF and allow for transfers to be similarly made from the UK to certified US businesses under the UK GDPR.
On 21 September 2023, the UK Government published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework. These regulations state that under the UK GDPR and the Data Protection Act 2018, the US is an adequate country for the purposes of data transfers from the UK provided: (i) the transfer is to a US business certified under the UK Extension to the DPF; and (ii) the recipient complies with its obligations under the DPF. The US Attorney has also designated the UK as a “qualifying state” under US Executive Order 14086 that implements arrangements to complement the DPF (see our Winter Snapshots 2022 for more details) and would allow UK data subjects to access the Data Protection Review Court.
Businesses may start relying on the data bridge from 12 October 2023. Note, however, that only US organisations subject to the jurisdiction of the US Federal Trade Commission or Department of Transportation may certify with the DPF. Businesses not subject to these regulators (eg banks, insurers, telecommunications providers) are not eligible.
The Department for Science, Innovation and Technology have said that they will continue to monitor the DPF and the data bridge.
Why is this important?
The new data bridge should significantly cut down time taken for businesses to agree and implement data transfers to the US by eliminating the need for transfer risk assessments and Standard Contractual Clauses. It should also provide UK data subjects with confidence that their data transferred to the US will be protected in line with requirements in their home country. However, there have been many indications that the DPF will be challenged and, if so, this could potentially affect the validity of the data bridge. For this reason, whilst these transfer mechanisms are in their infancy, businesses should consider adopting a “belts and braces” approach to its important contracts and agreeing Standard Contractual Clauses as a fallback should the DPF fall away.
Any practical tips?
Before initiating any transfer to a US entity under the data bridge, UK businesses must complete the following steps:
- check that the recipient is certified under the DPF list on the data privacy framework website
- check on that list that the recipient is separately signed up to the UK Extension to the DPF
UK organisations should also update their own privacy policies and record of processing activities as necessary to reflect any transfers to US businesses pursuant to the data bridge.
Finally, keep an eye on the transfer of “sensitive” personal data under the UK Extension. This is because the definition of sensitive data under the DPF and the UK GDPR is the same on one level, being personal data revealing racial or ethnic origin; political opinions; religious beliefs; trade union membership; and data concerning health or an individual’s sex life. However, the DPF definition is slightly narrower than the definition of special category data under Article 9(1) of the UK GDPR and, unlike the UK GDPR, does not include genetic data, biometric data (for the purpose of uniquely identifying a person) or sexual orientation data.
Businesses intending to transfer such data should specifically identify the data as being sensitive to the US recipient to ensure it is properly protected under the DPF.