On 21 September 2023, the UK Government announced its decision to establish the UK-US Data Bridge (the “Data Bridge”), also known as the UK Extension to the EU-US Data Privacy Framework (“DPF”). The announcement laid out regulations to significantly simply the free flow of personal data from the UK to US. Back in June of this year, the UK and US reached an agreement in principle over this arrangement, with the regulations finally coming into effect on 12 October, following months of negotiations. We briefly touched on this in our last article about the DPF.
We set out below how these regulations transform the requirements for international transfers between the US and UK, the specific issues raised by the UK Government and the likelihood of another challenge from Max Schrems.
What does this mean?
With the Data Bridge, organisations in the UK will be able to transfer personal data to US organisations self-certified to the DPF without the need for further safeguards as specified in the UK GDPR, such as international data transfer agreements (the UK version of the EU’s standard contractual clauses or binding corporate rules) or the UK Addendum.
In addition, exporters of personal data from the UK that rely on the Data Bridge will not be required to carry out a Data Transfer Impact Assessment, which typically requires a substantial investment of time and resources.
While the above transfer mechanisms remain valid options before a UK-based data transfer could be made across the Atlantic, organisations should consider what mechanism suits them best for the specific transfer in question. In addition, US organisations should be mindful of the principles of the DPF, while UK organisations should demonstrate that they have up-to-date privacy policies and continue to document their own processing activities as necessary.
By enabling faster, more efficient transfer of data between the two countries, the Data Bridge will unlock economic opportunities for businesses as well as facilitate innovation research. The extension also ensures that data is protected according to UK GDPR, the UK’s data protection regime.
A Note of Caution from the UK Government
A factsheet released by the UK Government highlighted the particular issues with regard to transferring “sensitive information” under the DPF, which organisations collecting health or criminal background related data will need to take into account. UK organisations must correctly identify special category and sensitive data when it is being shared with US organisations to ensure it receives appropriate protections under the DPF. The categories of data that must be expressly flagged as sensitive are:
- genetic data;
- biometric data for the purpose of uniquely identifying a natural person;
- data concerning sexual orientation; and
- criminal offence data.
Potential Challenge on the Horizon?
Given the prior two EU-US data transfer deals (Safe Harbour and Privacy Shield) were struck down and privacy campaigner, Max Schrems, who brought both successful lawsuits have already expressed his intentions to file against the DPF, there are undoubtedly concerns about the longevity of the extension. It remains to be seen what impact any such challenge would have on the validity of the Data Bridge, but it is certainly something that UK organisations should keep a close eye on.
How can Burges Salmon help?
If you would like any further information, please contact David Varney or another member of our Data Protection team.
This article was written by Noel Hung