The UK-US data bridge has been established through a UK Extension to the EU-US Data Privacy Framework (EU-US DPF), the adequacy decision adopted by the European Commission in respect of data transfers from the EU to the US which became effective on 10 July 2023.
Since 12 October this year, and subject to certain conditions, UK businesses can transfer personal data of UK individuals to certified US organisations without the need for further safeguards.
What is a data bridge?
The term "data bridge" is the UK Government's preferred term for "adequacy" which, when implemented in respect of another country, permits the free flow of personal data from the UK to that country without the need for further safeguards.
A data bridge is a non-reciprocal arrangement, designed to continue to protect the personal data of UK individuals when transferred to a country outside the UK and/or the European Economic Area, to the standard required under the UK GDPR. Each data bridge assessment requires careful consideration of several factors, for example, the recipient country's laws and the protections awarded to individuals' personal data.
What is the EU-US DPF?
The UK-US data bridge permits certified US companies to register to enable them to receive UK personal data through the Extension to the existing EU-US DPF, described by the UK Government as "a bespoke, opt-in certification scheme for US companies". The DPF is enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT) and administered by the Department of Commerce (DoC).
In order to receive UK personal data without the need for further safeguards, a US organisation must first sign up to the EU-US DPF before it can participate in the UK Extension and receive data from the UK under the UK-US data bridge. The requirements are onerous, they involve a wide range of legally enforceable requirements and require annual certification.
What does the US data bridge mean for UK business?
According to the UK Government, the "US data bridge will ensure that high standards of protection for personal data are maintained when the data is sent to certified US organisations". It allows UK businesses to transfer personal data to certified US organisations without the need to implement further safeguards such as Standard Contractual Clauses (SCC) or the UK's International Data Transfer Agreement (IDTA).
It is worth noting:
- only US organisations certified to the UK Extension and which appear on the EU-US DPF list can receive data under the UK-US data bridge. Certain US organisations cannot yet participate, such as banking, insurance and telecommunications companies.
- Certain journalistic data is excluded from the data bridge which includes data "gathered for publication, broadcast, or other forms of public communication of journalistic material..".
Information Commissioner's Office (ICO) Opinion
Although acknowledging that "it is reasonable for the Secretary of State to conclude that the UK Extension provides an adequate level of data protection...", the ICO has identified four areas which could pose a risk to UK individuals should the protections not be properly applied:
- Sensitive information – Rather than specifying all categories of personal data identified in Article 9 of the UK GDPR, the UK Extension simply refers to sensitive information as "...any other information received from a third party that is identified and treated by that party as sensitive.". It is therefore recommended that UK businesses ensure they identify certain data, for example, biometric, genetic, sexual orientation and criminal offence data, as sensitive data when transferring to the US organisation. There is currently no obligation for UK businesses to identify sensitive data in this way and so guidance on this point is likely to be issued in due course by the Department for Science, Innovation and Technology.
- Criminal Offence data – Even where criminal offence data is identified as sensitive data, certain risks remain as there are no equivalent protections to such data in the US to those within the UK. For example, the UK's Rehabilitation of Offenders Act 1974 places limits on the use of data relating to criminal convictions when those convictions have become 'spent' following the relevant rehabilitation period, which is not reflected in US law. How such protections would continue to apply to the data once transferred to the US remains unclear.
- Automated processing – Article 22 UK GDPR protects individuals from being subject to decisions based solely on automated processing. The UK Extension does not provide individuals with an equivalent right to obtain a review of such a decision by a human.
- "Right to be forgotten" and consent – The UK Extension does not provide similar rights to those in Article 7 (unconditional right to withdraw consent) and Article 17 (right to erasure). Whilst the UK Extension gives individuals some control over their data, it is not as extensive as the control they have under the UK GDPR.
The ICO recommends that the Secretary of State reviews the level of protection provided by the UK Extension every 4 years.
Given the way in which previous data transfer mechanisms allowing for data flows from the UK to the US have been challenged and subsequently invalidated, it would be sensible for UK businesses to remain alert to further developments in this area. Legal challenges seem likely, as is already becoming apparent with respect to the EU-US DPF, and so it may be that UK businesses will consider whether they wish to adopt this new mechanism or maintain their existing safeguards, by continuing to rely on SCC and UK Addendum or IDTA.
If relying on the UK US data bridge, it may be that contractual terms for the areas identified as risks by the ICO are included to ensure individuals' data continues to be adequately protected.
If the data bridge does not apply because the US organisation is not certified or the data intended to be transferred is excluded from the data bridge, SCC or IDTA or other appropriate safeguard as set out in Article 46 UK GDPR must continue to be relied upon.
Next steps for UK businesses wishing to rely on the UK US data bridge
Should a UK business wish to transfer data to a US organisation under the UK US data bridge, the following steps should first be completed:
- Check if the US organisation is on the DPF list
- Check if the US organisation has signed up to the UK extension.
- Confirm that the type of personal data being transferred is covered by the UK Extension, special attention should be given to ensuring sensitive information under Article 9(1) of the UK GDPR is labelled as such.
- Review the US organisation's privacy policies.
- Review internal documents. For example, privacy policies and data processing policies will need to be updated to reflect any change in data transfer mechanism.
Regardless of which transfer mechanism is used to effect a data transfer to the US, UK businesses must remember the recent Shrems II case out of which arose the requirement to risk assess the data protection laws of the recipient country prior to making any such transfer, i.e. assessing any increase in the risk to people's privacy and other human rights, compared with the risk if the information remains in the UK.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.