The United Kingdom has finally approved a new data bridge for transfers of personal data to the United States. The UK data bridge takes the form of an extension to the EU US Data Privacy Framework, which was approved by the European Commission in June 2023. In this update we look at what the UK US Data Bridge means for organisations in the UK that wish to export personal data to the US.
In July 2020, the European Court of Justice issued its decision in Schrems II, declaring that the US Privacy Shield framework was not lawful under EU data protection law, as it did not provide appropriate safeguards to, or remedies for, EU data subjects under US surveillance laws. While the ECJ also held that the EU Standard Contractual Clauses (SCCs) are, in principle, valid under EU law, this is subject to data subjects having enforceable rights and effective remedies in the destination territory. This requires data exporters to carry out transfer risk assessments (TRAs) to assess the laws in the destination territory and consider whether supplementary measures are necessary to bolster the SCCs with additional technical, contractual or organisational measures.
For more on Schrems II, read our summary of the Schrems II decision and our summary of the EDPB guidance on supplementary measures.
While the EU and UK have since approved new transfer tools to replace the old SCCs, organisations using them still need to carry out transfer risk assessments and consider supplementary measures to the transfer tools.
The European Commission and UK Governments have therefore been in discussions with the US Government on a replacement scheme that addresses the shortfalls of Privacy Shield.
What is a data bridge?
A "Data Bridge" is the UK Government's preferred terminology for an adequacy decision under UK GDPR.
In October 2022, the US Government implemented a number of new measures to strengthen the protection of personal data and provide a new scheme under which personal data can be transferred to the US. Upon the implementation of those measures, the European Commission and the UK commenced their adequacy approval processes.
The European Commission concluded its process in June 2023, with the approval of the EU-US Data Privacy Framework.
Following the designation by the US Government of the UK as a qualifying territory for the enhanced protections under US law, the UK Government announced on 21 September that it had also now concluded its approval process.
As the UK data bridge takes the form of a UK extension to the EU-US Data Privacy Framework, the same underlying Executive Orders and other supporting documentation will apply. This is important as it should avoid potential issues if there is an onward transfer of EU personal data by a UK exporter to the US under the UK-US data bridge.
What does the UK-US data bridge mean for organisations transferring personal data to the United States?
The UK-US data bridge enables frictionless transfers of personal data to the US. Organisations that are currently relying upon the ICO's international data transfer agreement (IDTA) or the EU standard contractual clauses (SCCs) and UK addendum for US data transfers may wish to consider using the UK-US data bridge instead.
As the UK considers that the US provides an adequate level of protection for personal data when using the UK-US data bridge, organisations relying on the data bridge will not need to carry out a transfer risk assessment or consider whether supplementary measures are necessary.
The UK-US data bridge will therefore substantially simplify the process of entering into new transfer arrangements, avoiding the time and expense incurred in carrying out transfer risk assessments and putting in place IDTAs or SCCs.
Organisations should, however, ensure that the data importer in the US is certified by the US Department of Commerce under the Data Privacy Framework. For example, if an organisation wishes to use the UK-US data bridge for intra-group transfers of personal data or to a service provider located in the US, then it would need to ensure that the US entity is certified.
If the US entity is not certified then exporters will need to continue to use the the IDTA or SCCs and UK addendum for the transfer. However, organisations may wish to take into account the existence of the new measures introduced by the US when carrying out their transfer risk assessment.
Organisations opting to rely upon the UK-US data bridge will need to consider what changes they wish to make to their contracts to document the reliance on the data bridge.
For example, organisations that enter into contracts with data processors will want to consider the extent to which they may still wish to approve a transfer by the processor to a US sub-processor.
Finally, organisations should also think about how their contracts would deal with any successful challenge the lawfulness of the data bridge, as happened with Safe Harbor and Privacy Shield.
When does the UK-US data bridge come into force?
Draft regulations were laid before Parliament on 21 September 2023 and will come into force on 12 October 2023. From that date, organisations exporting personal data to the US will be able to rely upon the Data Bridge for transfers to US organisations that have certified under the EU US Data Privacy Framework.