The extension is positive but will require businesses on both sides of the Atlantic to check they meet all requirements

The UK government has announced that the UK extension to the EU-US Data Privacy Framework (commonly referred to as the UK-US data bridge) has now been established, and businesses can start using it from 12 October 2023.

In July, after 24 EU Member States voted in favour of the EU-US Data Privacy Framework, the European Commission adopted its adequacy decision for the US based on the new framework, which business have been able to benefit from since 11 July.

What does the UK-US data bridge do?

Since the Schrems II ruling in July 2020 – which prohibited use of the previous EU-US Privacy Shield arrangement to facilitate the transfer of personal data between the EU and US – there has been a significant lack of clarity on how companies could continue to transfer personal data covered by both the General Data Protection Regulation (GDPR) and the UK GDPR to the US in a way that was fully compliant with EU and UK data protection laws.

With the EU-US Data Privacy Framework in place since July for businesses making transfers of data that are subject to the EU GDPR, it was expected that a UK extension would be added later in 2023. Unlike the old Privacy Shield arrangement, the UK was not covered by the new EU-US Data Privacy Framework due to Brexit. Transfers of data, which are subject to the UK GDPR, from the UK to the US still had to use (arguably) more cumbersome methods for legitimising transfers, such as the UK version of the standard contractual clauses, the International Data Transfer Agreement.

How does the UK-US data bridge work?

Under the new UK-US data bridge, the UK benefits from similar arrangements to the EU-US Data Privacy Framework. US companies must already participate in the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge.

Those organisations can elect to participate in the UK-US data bridge either as part of their annual re-certification to the EU-U.S. Data Privacy Framework, or outside of their annual certification to the EU-US Data Privacy Framework provided that they make their election no later than six months from 17 July 2023.

US organisations which have elected to participate in the UK-US data bridge are indicated on the Data Privacy Framework List; as at 21 September, there were already over 550 organisations on the list.

What should businesses do next?

Businesses transferring personal data from the UK to the US should take steps to understand the extent to which their arrangements with US businesses could benefit from the new UK-US data bridge. This means checking whether those US businesses participate (or intend to participate) in the UK-US data bridge, checking US businesses' privacy policies (included within their Data Privacy Framework record) and checking whether the types of data they are transferring are covered by it.

Both the transferor and the transferee may need to make changes to their privacy notices, records of processing and contracts to reflect their reliance on the UK-US data bridge.

Businesses should also be aware that some types of US organisations are not eligible to participate in the UK-US data bridge (or the EU-US Data Privacy Framework), and some categories of data are either excluded from transfer under it, or need additional steps to be taken (either by the business transferring the data or the US business receiving it) before that data can be transferred. This is the case for some special categories of data, criminal offence data or data covered by the journalistic exemption.

Where businesses can't use the new UK-US data bridge, they will have to continue using one of the pre-existing means for legitimising data transfers, such as the International Data Transfer Agreement or binding corporate rules.

Will legal challenges impact the framework?

The EU-US Data Privacy Framework is already facing legal challenges on the basis that it does not do enough to protect EU citizens whose personal data is transferred to the US. Any such challenges will likely take months, more likely years, to work their way through the courts.

In the event that a challenge to the EU-US Data Privacy Framework is successful or the European Commission reverses its approval of the framework, it is not clear whether the UK-US data bridge would also be invalidated. The fact that the UK-US data bridge is an extension to the EU-US Data Privacy Framework, and a US business must participate in the framework to be able to participate in the data bridge, suggests that the UK-US data bridge will only remain valid for as long as the EU-US Data Privacy Framework remains valid, but there is uncertainty as to how this will actually play out in practice.

Osborne Clarke comment

The UK-US data bridge is positive news for businesses on both sides of the Atlantic. From 12 October 2023, (most) personal data which is subject to the UK GDPR can be transferred to US businesses that participate in the UK-US data bridge without needing to rely on an alternative data-transfer mechanism (such as separate contractual obligations), and without needing to complete burdensome transfer impact assessments and implement additional transfer safeguards.

Businesses seeking to take advantage of the new UK-US data bridge will need to ensure that they are checking all of the requirements are met before relying on it as a valid international transfer method.

Some businesses transferring personal data from the UK may still seek a belt-and-braces approach, relying on both the UK-US data bridge, as well an alternative transfer mechanism (such as the International Data Transfer Agreement addendum), particularly given the uncertainty around whether the EU-U.S. Data Privacy Framework (and the UK extension to it) will withstand challenge.