International Data Transfers and UK-US Data Bridge
What is it and what does it mean for UK businesses?
The UK-US Data Bridge was finalised on 21 September 2023 and goes live 12 October 2023.
The term ‘data bridge’ is the UK’s preferred terminology for ‘adequacy’ and it allows for the free flow of personal data from the UK to another country without the need for further safeguards.
The UK Government stresses data bridges are not reciprocal, they don’t permit the free flow of data from other countries to the UK. A data bridge is designed to ensure the level of protection for UK individual’s personal data under UK GDPR is maintained.
The UK-US Data Bridge is aimed at easing the burden on UK businesses, faced with complex international data transfer rules and requirements.
Background on data transfers to the United States
In the past, and when the UK was part of the EU, UK businesses could transfer personal data to US companies which had signed up to the EU-US Privacy Shield, without the need for other safeguards to be in place.
For more than a decade the Austrian privacy activist Max Schrems (and his business NOYB) has been challenging data transfers and highlighting concerns about US Government and agencies ability to access and intercept data transferred to the US.
This ultimately led to a 2020 European Court ruling, known as Schrems II which invalidated the EU-US Privacy Shield and raised concerns about another commonly used safeguard; Standard Contractual Clauses – SCCs.
(Just in case you’re wondering, there was also Schrems I – a ruling in 2015 which invalidated Safe Harbor, the predecessor to the Privacy Shield!)
Since the Schrems II ruling, EU businesses have been required to implement alternative safeguards when transferring personal data overseas, such as putting in place NEW Standard Contractual Clauses between the parties and conducting a Transfer Impact Assessment.
In the UK, we’ve seen the development of the UK’s own International Data Transfer Agreement (IDTA) and Transfer Risks Assessments, for UK based businesses. Oh, and let’s not forget there’s also the UK Addendum to EU SCCs.
Complex, isn’t it? Are you still with me?
EU-US Data Privacy Framework
The European Commission adopted an adequacy decision for transfers to the US which came into force on 11 July 2023. The EC confirmed the EU-US Data Privacy Framework, gives protection to personal data transferred which is comparable to that provided within the EU.
This decision provides a new lawful means for data transfers from exporters based in the EU to the U.S. In a similar way to the previous Privacy Shield, only US businesses regulated by the Federal Trade Commission or the US Department of Transportation are eligible, and need to self-certify compliance against a set of principles.
UK-US data bridge
Post-Brexit the UK is not covered by the EU-US Data Privacy Framework. But now, under the Data Bridge, the UK can benefit from similar arrangements. It’s important to note US companies must already be signed up to the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. Essentially the Data Bridge is an extension to the EU framework, which US suppliers would also need sign up to.
What steps can businesses take?
Businesses transferring personal data from the UK to the US can now check whether their arrangements with US businesses could benefit from the new Data Bridge. This would include checking;
1) whether US businesses are participating in the scheme, or intend to
2) the US businesses’ privacy policies
3) whether the caterogies of data being transferred are covered
Some types of US organisations are not eligible to participate in the Data Bridge, or Data Privacy Framework, and some categories of data may be excluded or require additional steps. For example special category data (such as health data, biometrics, political opinions) and criminal offence data require additional measures.
As with it’s predecessors Safe Harbor and the Privacy Shield, the EU-US Data Privacy Framework is facing legal challenges. It’s argued it still doesn’t offer enough protection to EU citizens. It’s likely these challenges could take many months, may be even years to go through the courts. However, there’s the possibility the EC could invalidate the Data Privacy Framework at some point in the future. If this happens it’s not clear what the repercussions might be for the UK-US data bridge.
Businesses wanting to take a belt and braces approach, may therefore want to still rely on safeguard measures such as EU Standard Contractual Clauses, the UK International Data Transfer Agreement, and where necessary the UK Addendum.
See our International Data Transfer Guide for an overview of the rules and requirements.