A bridge across the pond: the UK-US Data Bridge

What is the UK-US Data Bridge?

On 12 October 2023, the UK-US Data Bridge (‘Data Bridge’) was introduced. The Data Bridge allows UK organisations to transfer personal data to US organisations that have self-certified to the EU-US Data Privacy Framework (‘DPF’) without needing to implement additional safeguards, such as Standard Contractual Clauses (with a UK Addendum) (the “SCCs”).

What was the position?

Under the UK GDPR, it is generally prohibited to transfer personal data outside of the UK, but there are some exceptions. Most commonly a transfer will be permitted if:

• the UK government has determined that the recipient jurisdiction provides an ‘adequate’ level of protection (i.e. through local data protection law in that country’s jurisdiction);
• the contracting parties use SCCs; or
• one of certain specific derogations (usually based around occasional transfers) applies.

Under the pre-Brexit EU GDPR regime, the United States has been judged to provide adequate protections by the EU on two occasions. These previous adequacy decisions resulted in the EU-U.S. Safe Harbor regime (until 2015) and the EU-US Privacy Shield (until 2020). However, in recent years, decisions of the Court of Justice of the European Union (‘CJEU’) have cast a shadow over the landscape of personal data transfers. In July 2020 the CJEU invalidated the EU-U.S. Privacy Shield in its judgement in the Data Protection Commissioner v. Facebook Ireland Limited.

This decision, known as ‘Schrems II’, highlighted the CJEU’s concern with the protection of individuals’ fundamental rights to privacy and data security, which are often at odds with the expansive reach of global data flows. The CJEU’s principle objections have been the incompatibility of United States surveillance laws with European data protection standards and the lack of an adequate redress mechanism for EU data subjects. This contradiction was found in the Schrems II decision to be irreconcilable for the time being, and so parties transferring personal data the EU to US were obliged to return to relying on SCCs or available derogations as their lawful basis.

What has changed?

Mindful that too much red tape could stymie trade between the United States and Europe, after Schrems II, the EU and US have tried again to establish another separate lawful basis to ensure the smooth exchange of data. In July this year their work bore fruit and European Commission made an adequacy decision in relation to the brand new EU-U.S. Data Privacy Framework (DPF).

The DPF introduces a fresh self-certification framework for U.S. entities. This framework addresses the concerns that the CJEU raised in the Schrems II decision by placing restrictions on U.S. surveillance of personal data, coupled with new redress avenues in the event data is wrongly handled, including the establishment of a new Data Protection Review Court.

What does this mean for the UK?

The UK is no longer a part of the European Union, however the UK’s data protection legislation restricts transfers of personal data out of the UK in substantially the same way as the EU GDPR does. After leaving the EU, the authority to issue new adequacy decisions for international transfers now sits with UK Government. These UK adequacy decisions have been branded as ‘data bridges’.

As of September 21, 2023, formal steps were taken to recognise the UK extension to the DPF as providing adequate protection to personal data subject to the UK GDPR, culminating in the establishment of the ‘UK-U.S. Data Bridge’. This development followed the U.S. Attorney General’s extension of the new U.S. Data Protection Review Court to individuals in the UK on September 18, 2023.

This means that, starting from October 12, 2023, the transfer of personal data from the UK to DPF participants in the U.S. that have extended their certification to the UK can occur without the implementing the UK’s International Data Transfer Agreement (equivalent to standard contractual clauses) or other ‘appropriate safeguards’ outlined in the UK GDPR.

How does it work in practice?

Crucially, being an extension to the DPF, the UK-U.S. Data Bridge cannot be entered into independently from the DPF. Therefore, U.S. organizations aiming to utilise the UK-U.S. Data Bridge, if not already DPF certified, must enrol in the DPF and opt-in to the UK extension.

The U.S. Department of Commerce will manage the Data Bridge, and if you are a U.S. organisation that has self-certified under the DPF, you can extend your certification to encompass data from the UK by selecting the option to add the UK extension through your online DPF account.

For UK organizations looking to verify whether a prospective data recipient participates in the DPF and the UK extension, the Data Privacy Framework List can be consulted at www.dataprivacyframework.gov.

Is there a catch?

The Data Bridge has not been able to make the transfer of data entirely seamless:

• S. recipients of data must elect to participate, and not all U.S. organisations are permitted to self-certify to the DPF – only organisations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation are currently able to take part in the scheme.
• UK organisations must signal where they intend to transfer special category data and designate this data as “sensitive”, and journalistic data cannot be transferred under the Data Bridge.
• The Data Bridge is also likely to be challenged in the CJEU on the same grounds that sunk the Safe Harbor and Data Shield projects. It may be that this takes a few years to be considered in the European Courts. In the UK, the ICO has already issued an opinion that the Data Bridge “specific areas that could pose some risks to UK data subjects if the protections identified are not properly applied.”

What should I do as a UK business?

UK businesses wishing to enter into an arrangement which may require the transfer of data to an organisation in the United States should consider the following preparatory steps:

• Check to see if the US organisation has self-certified to the UK extension of the DPF on the DPF Program website. If the organisation is not on the list, or hasn’t opted-in to the UK extension, you may have to rely on SCCs or a derogation if applicable.
• Consider whether any of the data you wish to transfer is journalistic in nature, or is special category data.
• Review and amend your privacy notices to ensure that the Data Bridge transfer mechanism is included in order to comply with transparency requirements under the UK GDPR.

And of course, please do not hesitate to get in touch with commercial team here at Cripps if you have any questions or concerns about the new transfer regime.