The UK-US Data Bridge: Implications and Opportunities for Businesses

On 21 September 2023, the UK Government announced its decision to establish the UK-US Data Bridge (the "Data Bridge"), also known as the UK Extension to the EU-US Data Privacy Framework ("DPF") and the Data Bridge entered into force on 12 October 2023.

In the evolving landscape of international data protection, the Data Bridge is a significant development, providing a new route for the lawful transfer of personal data between the UK and the US.

What is the UK-US Data Bridge and how does it relate to the EU-US Data Privacy Framework?

The starting position is that, under the UK General Data Protection Regulation (UK GDPR), transferring personal data across the Atlantic is prohibited without transfer mechanisms such as the European Standard Contractual Clauses (SCCs) and the UK equivalent International Data Transfer Agreement (IDTA) or Binding Corporate Rules. In July this year, the European Commission adopted an adequacy decision (a legal tool facilitating the transfer of personal data to third countries  that offer (or to companies in third countries participating in schemes that offer) a comparable level of data protection to that of the country the data is being sent from) in the form of the DPF. The DPF is a replacement for the EU-US Privacy Shield, which was declared invalid by the Court of Justice of the European Union (CJEU) in mid-2020.

As the UK is no longer a member of the European Union, the DPF does not automatically enable the transfer of personal data from the UK to the US. Following its approval by the UK Government, the Data Bridge, which acts as an extension of the DPF, allows personal data to be lawfully transferred from the UK to entities in the US that self-certify their compliance with the DPF.

The decision to introduce the Data Bridge lies in the determination that US companies participating in the DPF ensure an adequate level of protection for personal data transferred from the EU and UK.

What are the benefits of the UK-US Data Bridge?

No further safeguards required

With the Data Bridge, organisations in the UK will be able to transfer personal data to US organisations certified to the "UK Extension to the EU-US Data Privacy Framework" without the need for further safeguards, such as IDTAs or Binding Corporate Rules. There are requirements for both UK and US organisations in order to implement the Data Bridge, such as US companies updating their privacy policies and certifying to the Data Privacy Framework List. UK organisations should implement corresponding updates to their data protection compliance documentation, such as:

• listing the Data Bridge as a relevant transfer mechanism in their privacy notices to comply with transparency requirements;
• updating their records of processing activities to accurately reflect which international transfers of personal data are subject to the Data Bridge; and
• listing the Data Bridge as the relevant transfer mechanism in any new data transfer agreements entered into with relevant US companies.

No Transfer Impact Assessment required

As is the case when relying on other adequacy regulations,  UK companies are not required to complete a Transfer Impact Assessment (TIA) when relying on the Data Bridge. TIAs require companies to consider whether, in the circumstances of the transfer and with the chosen alternative transfer mechanism, the relevant protections for people under the UK data protection regime would be undermined by the laws and practices of the third country. Performing that assessment for any third country's surveillance laws and practices has in recent years been one of the most complex and challenging exercises for organisations, so the arrival of the Data Bridge will be a welcome data transfer option for many companies.

A harmonised approach across the UK, EU and Switzerland

The UK-US-EU triangle is one of the most important pieces in the global-transfers puzzle and the introduction of the Data Bridge largely harmonises transatlantic data transfer regimes, meaning that entities in the UK, EU and Switzerland can use the same mechanism ¹ for sending personal data to the US.

Companies that embrace the Data Bridge signal their commitment to data privacy, which can enhance their reputation and bolster trust with customers and partners. The DPF and Data Bridge align with GDPR principles, reinforcing businesses' adherence to global data protection standards.

Further considerations

Limitations of the Data Bridge

For companies wishing to use the Data Bridge as their chosen transfer mechanism but also rely on SCCs or the IDTA in the event the Data Bridge is struck down in a Schrems III scenario - unfortunately the Data Bridge and SCCs cannot be used simultaneously for the same data transfer. While this provides flexibility for businesses to choose the most suitable mechanism, it necessitates careful consideration when selecting the appropriate method for each specific transfer.

The Data Bridge may be challenged

The EU adequacy decision for the DPF has already received a legal challenge and this would have a knock-on effect for the validity of the Data Bridge, if that challenge is successful. It's likely that any such challenges would take many years to progress through the European Courts, and it remains to be seen whether equivalent challenges would be brought in the UK.

The UK Information Commissioner's Office has already issued an opinion highlighting structural issues with the Data Bridge, which could serve as the basis for potential legal challenges. The ICO's opinion identifies that the Data Bridge does not contain equivalent protections to:

• the rights under the UK GDPR relating to decisions based solely on automated processing;
• the right to be forgotten under the UK GDPR; or
• the unconditional right to withdraw consent.

As such, UK entities should follow developments on international transfers and consider the best data transfer method - whether this is the Data Bridge or continuing to use existing methods such as the IDTA.

Transferring special category data

The ICO's opinion highlighted that the Data Bridge definition of "sensitive data" does not mirror that of the UK GDPR, as the definition that appears in the Data Bridge does not specify all of the special categories of personal data identified in Article 9 of the UK GDPR. This means that certain special categories of data (in particular, genetic data, biometric data for the purpose of uniquely identifying an individual, and/or data concerning sexual orientation) and criminal offence data must be specifically identified as "sensitive" data in order to be transferred under the Data Bridge. This therefore relies on UK organisations clearly labelling certain types of data as sensitive and applying additional protections when transferring any of them to a US recipient.

Personal data can only be transferred to US recipients who have self-certified

For personal data to flow freely under the Data Bridge, the US recipient must be self-certified under both the DPF and the Data Bridge (note that the US recipient must specifically choose to participate in the Data Bridge). Not all US organisations are permitted to self-certify under the DPF - only US organisations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation are eligible to participate, and most notably this excludes insurance, banking and telecommunications organisations. 

Practical steps for UK-based entities

When relying on the Data Bridge to transfer personal data to the US, UK entities should consider whether any updates are required to their data protection compliance documentation to reflect the use of the Data Bridge. These steps include:

• listing the Data Bridge as a relevant transfer mechanism in their privacy notices to comply with transparency requirements;
• updating their records of processing activities to reflect which international transfers of personal data are subject to the Data Bridge; and
• where applicable, specifying the Data Bridge as the relevant transfer mechanism in any new data transfer agreements entered into with relevant US companies.

¹ The EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy, and the Swiss-U.S. Data Privacy Framework