What is the new UK-US data bridge and how does it affect my business?

What is the UK-US data bridge?

The UK-US data bridge is an extension of the EU-US Data Privacy Framework (DPF) (also known as the UK extension to the EU-US DPF). The UK-US data bridge provides a new legal mechanism for UK businesses to transfer personal data to certain organisations in the US.

The decision to establish the UK-US data bridge was made by the UK Secretary of State for Science, Innovation, and Technology under Section 17A of the Data Protection Act 2018.

The UK-US data bridge comes into effect, and can be relied upon from, 12 October 2023. This means that from 12 October, UK businesses can transfer personal data to certified US organisations without needing to rely on another safeguard mechanism (e.g. the ICO’s international data transfer agreement (IDTA)). Where it can be relied upon, it may also avoid the need to carry out a transfer impact assessment (TIA) in respect of the transfer.

If the UK-US data bridge cannot be relied upon, another approved transfer mechanism will need to be used in order for the transfer to the US to be made lawfully and in accordance with the UK GDPR (e.g. IDTA, binding corporate rules).

Which organisations can use the UK-US data bridge?

Not all US businesses can take part. US organisations must already participate in the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. The EU-US DPF has a list of approved organisations which can be found here.

Only US organisations subject to the jurisdiction of the US FTC (Federal Trade Commission) or the US DoT (Department of Transportation) are currently eligible to become a certified organisation under the DPF. US organisations that are not subject to the jurisdiction of either the FTC or DoT (e.g. banking and insurance companies) are unable to become certified under the DPF. To send personal data to these organisations, an existing form of transfer mechanism must still be relied upon (e.g. the IDTA) in order for the transfer to the US to be lawful.

How do I know if I can rely on the UK-US data bridge?

Before sending personal data to the US in reliance on the UK-US data bridge, UK businesses must:

1. confirm that the recipient organisation is certified with the DPF;

2. check that the organisation has signed up for the UK Extension to the EU-US DPF; and

3. if the transfer will include HR data, confirm that HR data is covered by the organisation’s DPF commitments and this is highlighted on their DPF certification.

For more information, read the Government’s UK-US data bridge factsheet for UK organisations.

What other action do I need to take if I use the UK-US data bridge?

After taking the steps above and establishing that the UK-US data bridge can be relied upon as the transfer mechanism, businesses should also:

1. update your privacy notice to tell individuals that you are transferring their personal data to the US and that you are relying upon the UK-US data bridge; and

2. update your internal data protection policy in relation to international transfers so that your employees know when the UK-US data bridge can be relied upon.

Are there any potential issues with the UK-US data bridge?

The UK Information Commissioner’s Office (ICO) has released a statement that identifies four specific areas of the UK-US data bridge mechanism which could pose some risks to UK data subjects.

In addition, it should be noted that a number of legal challenges have already started to be brought against the EU-US DPF. It is feasible that similar legal challenges will follow against the UK-US data bridge.

Tags: international transfers, UK GDPR transfers, UK-US data bridge, EU-US data bridge, adequate countries, data transfers