Regulations have been laid in Parliament which, when they come into effect on 12 October, will mean that transfers of personal data from UK companies to recipients in the US will in many cases be made much easier.
Until now, the lack of a UK data protection "adequacy" decision in respect of the US has meant that UK companies needing to transfer data there have generally had to ensure that specific contractual provisions are in place, and also to have undertaken detailed risk assessments for each instance.
The regulations, which are accompanied by a number of supporting documents (such as a factsheet and an explainer) mark the creation of a "UK Bridge" to the EU-US Data Privacy Framework approved by the European Commission in July. Under that framework, US companies can take advantage of an opt-in certification regime enforced by the US Federal Trade Commission and Department of Transportation.
When plans for the UK Data Bridge were announced in June the Secretary of State for Science, Innovation, and Technology, Chloe Smith said,
"Data bridges not only offer simpler avenues for the safe transfer of personal data between countries, but also remove red tape for businesses of all sizes and allow them to access new markets."
It is certainly the case that trade with those US companies who certify will become much simpler. However, the EU-US Data Privacy Framework itself is already subject to a legal challenge, brought by a French Member of the European Parliament, and previous EU-US data protection arrangements have been struck down by the Court of Justice.
It seems unlikely that both the main Framework, and the UK data bridge, will avoid criticism, but we believe that the UK data bridge is less likely to be subject to immediate legal challenge than the EU-US framework and so transatlantic data transfers should now be easier to effect.