The UK-US Data Bridge (the ‘Data Bridge’) becomes law and takes effect from 12 October 2023. This means there is a new mechanism (known as a safeguard) in place that organisations in the UK can rely on to transfer personal data to organisations based in the US, provided that the US organisation has signed up to the new framework. 

The road to get to the new Data Bridge has not been an easy one. Case law (known as Schrems I and Schrems II) invalidated previous methods for transferring personal data to the US. Since then there has not been a straightforward mechanism allowing for the safe transfer of personal data to the US from the UK.

The EU has already established its own data bridge to the US (you can read more about the EU-US Data Privacy Framework here), now the UK Secretary of State for Science, Innovation and Technology has laid adequacy regulations before Parliament to establish a UK data bridge with the US through the UK extension to the EU-US Data Privacy Framework. 

What are the requirements for International Data Transfers?

The UK GDPR prohibits the transfer of personal data to countries outside of the UK/EU unless certain specific safeguards are in place. An example of one safeguard is an adequacy decision (as set out under Article 45 of the UK GDPR). 

The European Commission recently adopted an adequacy decision for transfers of personal data from the EU to the US under the new Data Privacy Framework (the Framework) (see above). The UK-US Data Bridge is essentially the UK’s extension to this. The new Data Bridge enables organisations in the UK to transfer personal data to organisations in the US (provided that they have signed up to the U.K. Extension to the EU-US Data Privacy Framework), without the need for further safeguards, such as the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses. 

What should organisations do now?

Organisations who transfer personal data to the US and who want to rely on the new Data Bridge, will first need to check that the US recipient is listed as participating in the Framework. Companies in some sectors in the US are not able to join the Framework. This includes the banking and insurance sectors.  If the recipient organisation is not listed as a participant, the Data Bridge cannot be relied on, and organisations will instead need to rely on one of the pre-existing appropriate safeguards under Article 49 of the UK GDPR (such as a data transfer agreement). 

Where organisations rely on an alternative mechanism for transfer, they will still also need to carry out a Transfer Risk Assessment.

Whilst the Data Bridge ensures that a high standard of protection is afforded to personal data that is transferred to the US, it is also important to remember that the new framework does not absolve UK organisations of their responsibilities and obligations under UK GDPR. UK organisations will still need to ensure that personal data continues to be processed by the relevant principles as set out under UK data protection law. They will also need to ensure that other safeguards are in place should they be transferring personal data to other third countries, other than the US and if the organisation they are transferring the personal data to in the US has not signed up to the Framework.

UK organisations will also need to ensure that their privacy notices and policies are updated to include information on the new framework. 

What next?

Although the Information Commissioner’s Office (ICO) has indicated that the Data Bridge does provide an adequate level of protection, the new framework will likely be met with legal challenges from various privacy groups. Data Protection activist, Max Schrems, has already commented on the EU-US Data Privacy Framework, arguing that “for the past 23 years all EU-US deals were declared invalid retroactively, making all past data transfers by business illegal - we seem to just add another two years of this ping-pong now." We will await to see what legal challenges the new Data Bridge will face. 

For more information on International Data Transfers or to discuss data protection issues your organisation may be facing, please contact us directly at dataprotection@prettys.co.uk. To receive our latest updates, developments and invites to our events, please join our Data Protection Hub here.