The UK’s hotly anticipated transatlantic ‘data bridge’ to the US is now officially up and running. The new framework came into effect on 12 October 2023. It offers a streamlined mechanism for exports of personal data from the UK to the US, and is intended to facilitate cross-border data flows and the provision of digitally-enabled services between the two countries.
This will be welcome news to many US and UK companies that have been navigating a complex and changeable regulatory landscape in this area. Here’s our summary of how the bridge will operate, and some practical points you’ll need to think about if you want to use it to send personal data to the US.
The background
As avid readers of this blog will know, transferring data from Europe to the US has been challenging in recent years. The EU restricts the transfer of personal data to countries it regards as providing an inadequate level of data protection under the EU GDPR, and similar restrictions apply to transfer of personal data from the UK under the UK GDPR. For both the EU and UK, the list of countries with adequate safeguards currently does not include the US, due to concerns about US government surveillance activities and the level of recourse available to EU/ UK data subjects to object to those activities.
Against this backdrop, but mindful of the fact that EU-US data flows are estimated to underpin more than US$ 1 trillion in annual cross-border trade and investment, the EU has made several attempts to implement a streamlined solution for data transfers. The latest is the recent EU-US Data Privacy Framework (the DPF). For further background on the DPF, see our previous blog post here and FAQs here.
How does the data bridge work?
The UK data bridge is structured as an extension to the DPF. This means that self-certified US companies that sign-up to the DPF can also receive UK personal data through the framework provided some additional steps are taken.
US companies can only participate in the UK data bridge if they participate in the DPF, elect to participate in the UK bridge in addition and complete certain mandatory requirements, such as making additional UK-specific commitments within their public data privacy commitments and indicating their election on their self-certification.
To help support the data bridge, the US has designated the UK as a ‘qualifying state’ for the purposes of a new redress mechanism implemented to support the DPF, meaning that UK individuals can seek redress if they believe their personal data has been collected or handled through US signals intelligence in a way that violates UK law. Further background on the redress mechanism is available here.
What should UK companies that want to use the bridge do next?
UK companies that want to transfer personal data to the US using the data bridge should think about the following:
- Consider your intended recipient. Only certain US organisations are currently eligible to participate in the DPF program (further information here). For example, banking, insurance and telecommunication companies currently are not able to participate. Before a UK company sends personal data to the US under the bridge, it should also confirm that the recipient is appropriately certified with the DPF and UK data bridge by checking the DPF List and ensuring that it has signed up to the UK extension and by reviewing the US organisation’s relevant privacy policy or policies. The UK organisation must also confirm that any US recipient receiving human resources (HR) data has highlighted that on their certification and that the HR data is appropriately covered by the commitments in its privacy policy.
- Update your privacy policies. Be mindful of the need to update privacy policies and document processing activities to reflect any changes in how data is transferred to the US.
- Certain types of data can’t travel across the bridge. For example, journalistic data (ie personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material and information found in previously published material disseminated from media archives) cannot be transferred under the data bridge.
- Sensitive data requires some extra thought. For example:
Special category and sensitive data can be shared with US organisations under the DPF, but it must be correctly identified by UK organisations as such when it is being shared.
- Be aware that the definition of ‘sensitive information’ under the data bridge is not a direct read across of special category personal data under the GDPR (as it omits genetic data, biometric data for the purpose of uniquely identifying a natural person or data concerning sexual orientation, and also omits criminal offence data). However, the data bridge includes a catch-all provision specifying that sensitive information includes information which the party sharing the information has previously treated as sensitive and identified as such. Therefore, UK organisations need to identify such data as ‘sensitive data’ when sending it to a US certified organisation, so it will be treated as ‘sensitive information’ under the bridge.
- Where criminal offence data will be shared under the UK-US data bridge as part of a HR data relationship, the US recipient is required to indicate that they are seeking to receive it under the DPF. As explained above, where UK businesses are sharing criminal offence data, they must indicate to the US recipient that it is sensitive information requiring additional protections.
Do previously available transfer mechanisms remain valid?
The data bridge offers an additional avenue for transfers of personal data from the UK to the US.
The data bridge may offer some companies a simpler way to transfer data internationally. However, some businesses may still prefer to continue to use other mechanisms for their UK-US personal data transfers, or to rely primarily on the DPF but put back-up arrangements in place, especially in light of concerns expressed that the data bridge could collapse as a result of a future legal challenge — more on this below.
The requirements under the UK GDPR have not changed, and so organisations may continue to use other common methods like the UK international data transfer agreement or binding corporate rules.
How wobbly is the data bridge?
And finally, watch this space: There is the risk of a challenge to the data bridge being brought before UK courts at some point in the future or that the data bridge could be compromised in practice by a challenge to the DPF brought in the EU.
The greatest threat may come from Max Schrems, who led the successful challenges to the previous two EU-US transfer mechanisms, and has already vowed to challenge the DPF in the EU courts. Concern has been expressed that, if successful, this could in practice bring down the UK data bridge too.
UK and US officials are understood to have indicated that a successful challenge in the EU to the DPF may not interrupt the operation of the UK framework. Nevertheless, the ability of the UK data bridge to survive any invalidation of the DPF by the EU courts is questionable given that the UK has shown a clear desire to maintain its own status as an ‘adequate’ jurisdiction for EU personal data to be transferred to under the EU’s GDPR. That status might be jeopardised if the UK were to continue with an arrangement that the EU courts considered unlawful, and thereby be seen to act as a ‘back door’ for data flows to the US that circumvents the protections of EU laws.
Looks like the journey across the troubled waters of transatlantic data flows may not be over just yet — but we’ll have to cross that bridge when we come to it…