The New UK-U.S. Data Bridge

Mark Booth, Steven Farmer, Catherine Meyer, Scott Morton
Pillsbury - Global Sourcing Practice
Contact
LinkedIn
Facebook
X
Send
Embed

Pillsbury - Global Sourcing Practice

The UK and U.S. Governments have now formalized the UK-U.S. Data Bridge. The U.S. Attorney General designated the UK as a “qualifying state” for the purposes of the Executive Order 14086 on September 18, 2023, and the UK regulations implementing the Data Bridge are scheduled to take effect on October 12, 2023. From October 12, 2023, the Data Bridge will therefore operate as an extension of the EU-U.S. Data Privacy Framework (DPF) to enable the unrestricted movement of personal data between the UK and certified U.S. entities. For more information about the DPF, see our earlier briefing here.

The Data Bridge serves as a partial adequacy decision under the UK GDPR and offers U.S. organizations certified under the DPF the opportunity to extend their certification to include UK personal data. This essentially streamlines the process of transferring data between these two jurisdictions, reducing administrative hurdles such as the need to implement the UK International Data Transfer Agreement (or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs)).

The Data Bridge is not a carte blanche for UK organizations to transfer personal data to any recipient in the U.S. Instead, it lays out specific criteria that must be met for data to flow freely. The key points can be summarized as follows:

  • The recipient in the U.S. must be certified under the DPF, which is currently open to U.S. organizations subject to the jurisdiction of either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT).
  • The U.S. recipient should therefore appear on the DPF List which will indicate whether they have also certified for the UK extension. Note that not all DPF participants will have made this election and U.S. organizations that are currently certified under the DPF should consider whether they wish to add this to their existing certification.
  • Special category data, criminal offence data, and other more sensitive data can generally be shared with U.S. organizations certified under the Data Bridge. However, the data must be correctly identified as such by UK organizations when it is being shared as there are inconsistencies between the special categories of personal data identified by Article 9 UK GDPR, and the categories of information designated as sensitive under the Data Bridge. Organizations should therefore carefully consider the data they wish to share under the Data Bridge and ensure their transfers are documented accordingly.

In cases where organizations cannot rely on the Data Bridge to transfer personal data to the U.S., they will need to resort to pre-existing appropriate safeguards (such as SCCs or binding corporate rules (BCRs)) or make use of the available derogations under Article 49 UK GDPR. These alternatives ensure that UK-U.S. transfers are still possible where a U.S. organization does not qualify for the Data Bridge (e.g., because it is not subject to the jurisdiction of the FTC or DoT), has otherwise decided not to self-certify, or if the DPF and/or the Data Bridge is challenged and ultimately invalidated by the courts.

Further, should an organization look to utilize the Data Bridge and/or the DPF, given it is likely that they will be challenged, they would be advised to maintain any SCCs contained in existing agreements and incorporate them in future agreements as a fallback position in the short- to medium-term, at least.

The UK regulator for data protection matters, the Information Commissioner’s Office (or ICO), has issued an opinion in relation to the Data Bridge in which it flagged four key areas of risk that must be monitored, namely: (i) the definition of sensitive information under the Data Bridge and the lack of complete overlap with Article 9 UK GDPR (as discussed above); (ii) differences in approach to criminal offence data in the UK and U.S.; (iii) the lack of an equivalent right in the U.S. not to be subject to decisions based solely on automated processing; and (iv) a reduction in the level of control that data subjects have in relation to their personal data when transferred under the Data Bridge. These should be monitored by UK exporters on an ongoing basis to ensure the Data Bridge continues to provide an adequate level of protection for personal data.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Pillsbury - Global Sourcing Practice | Attorney Advertising

Written by:

Pillsbury - Global Sourcing Practice
Pillsbury - Global Sourcing Practice
Contact
more
less

Pillsbury - Global Sourcing Practice on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide