After a long wait, the time has finally come: The UK Parliament finalised the UK-US data bridge in mid-September 2023, making it easier for UK companies to transfer personal data to the United Sates. The UK-US data bridge works as an extension to the EU-U.S. Data Privacy Framework (DPF), which was adopted by EU Commission in July 2023 to take a new approach on EU-U.S. adequacy decisions.
Starting 12 October 2023, UK businesses can now also rely on the adequacy decision.
Meaning of UK-US data bridge
The name UK-US data bridge was chosen to underline the meaning of it: The data bridge allows personal data to flow between the UK and the U.S. without additional steps, obstacles or measures to take or overcome.
However, this data bridge comes with boundaries. Not all personal data can be shared with all U.S. companies and groups. For the UK-US data bridge to apply, U.S. companies must certify to the EU-DPF of the European Union and, additionally, to the UK Extension. Only if both certifications are given, transfers can occur under this adequacy decision.
UK businesses should also be aware that not all U.S. companies are eligible to certify to the DPF and the UK Extension. Only those U.S. businesses which fall into the scope of the jurisdiction of the U.S. Federal Trade Commission, or the U.S. Department of Transportation can, for now, self-certify. Therefore, US businesses in sections of finance, banking, insurance, or telecommunications fall outside of the scope of the DPF and the data bridge.
However, if such certification is given, UK-U.S. data flows get easier, as no additional measures have to be taken to secure the personal data.
Also, with the new DPF and UK Extension, one major concern of the previous adequacy decision of the EU, known as the EU-U.S. Privacy Shield, is addressed. The U.S. Government issued the Executive Order 14086, under which U.S. Government can designate countries as a qualifying state for the redress systems addressed in this Order. Data subjects can now seek redress under U.S. law, if they feel their personal data has been unlawfully accessed by U.S. authorities. The UK became a qualifying state by 18 September 2023.
Steps to take for businesses to rely on the UK-US data bridge
However, UK companies cannot base their data transfers on the data bridge as easily as that. There are several steps to consider and implement before a lawful use of this adequacy decision is possible.
First, UK businesses need to check whether their U.S. importer is certified not only to the DPF, but also to the UK Extension. Businesses can do that on the Data Privacy Framework website. In case of HR personal data, a check if certification for such categories of data is done is also necessary. This information is given by the certification website as well.
Additionally, you need to check the U.S. importers privacy policy linked to their certification and check if they are in alliance with the DFP and UK GDPR requirements. Therefore, you need to check the privacy policies linked on wether they provide information as set out by Art. 13 and 14 of the UK GDPR, and if they provide necessary information for you as a data controller. You might need to publish that information on your own privacy policies accordingly. The certification should also give information on the dispute resolution contacts. If so, personal data flows can be based on this adequacy decision.
Still, these are not all the steps to take. UK businesses are well advised to still implement technical and organisational measures, where necessary, to improve and uphold a high standard of data security taking into account the UK GDPR principles such as purpose limitation and data minimisation.
Additionally, if relying on the adequacy decision for U.S. data transfers, UK businesses need to check and update their privacy policies, information notices and registers of processing activities (ROPAs) to be transparent with all information.
Future of the UK-US data bridge
The UK-US data bridge was eagerly awaited over the last couple of months. It addresses some of the concerns that arose around previous adequacy decisions. However, as U.S. legislation concerning privacy is still not addressing all of the requirements set out by UK GDPR, there is a high risk for this adequacy decision to also be crushed in court. UK businesses are therefore best prepared, if they keep their identified additional technical and organisational measures in place and address any changes quickly.
For cases where the UK-US data bridge cannot justify the data flow, UK businesses still have to rely on other safeguards such as the International Data Transfer Agreement. There, additional measures may be crucial to implement, before transferring personal data outside the UK. To assess this necessity and the measures to take, the Information Commissioner’s Office (ICO) provided the Transfer Risk Assessment Tool.
If you are uncertain what safeguard is the legal way to go for your data transfers, feel free to reach out to our experts!