Closely following the establishment of the EU-US Data Privacy Framework (DPF) – see our July 2023 post – the UK has now agreed to an extension for the transfer of personal data from the UK to the US, known as the UK Extension to the EU-US Data Privacy Framework, or the UK-US Data Bridge. Taking effect from 12 October 2023, the UK-US Data Bridge provides a new legal mechanism under which UK organisations can send personal data to the US, provided that certain requirements are met (see ‘How can organisations use the UK-US Data Bridge’ below).
What is the UK-US Data Bridge?
The UK-US Data Bridge is an extension to the EU-US DPF, a legal mechanism agreed in July 2023 providing a new basis for certified organisations to transfer personal data from the European Union to the US.
The UK-US Data Bridge is the product of:
- A decision by the UK government that personal data transferred from the UK to the US will be adequately protected so long as the transfer is:
- To a US organisation included on the Data Privacy Framework List (DPF List) as a participant in the UK-US Data Bridge.
- Subject to the DPF principles on receipt by that US organisation.
- The designation of the UK as a qualifying state by the US government under Executive Order 14086. This allows UK individuals whose personal data has been sent to the US to access a newly established redress mechanism if they believe that their personal data was collected or processed unlawfully by the US for national security purposes.
Why does this matter?
From 12 October 2023, UK organisations will be able to send personal data to certified US organisations without needing to use one of the standard transfer mechanisms – e.g., the International Transfer Addendum from the Information Commissioner’s Office (ICO). This should reduce the compliance burden and save organisations on both sides of the Atlantic time and resources that would otherwise have to be invested in more cumbersome transfer mechanisms.
How can organisations use the UK-US Data Bridge?
The UK-US Data Bridge comes into effect from 12 October 2023, but US recipients must be certified with the DPF in order to participate (guidance for US organisations on how to do this is provided in our July 2023 post on the DPF under ‘What should US companies do?’).
Therefore, before UK organisations start using the UK-US Data Bridge to transfer personal data to the US, they should first confirm that the US recipient is appropriately certified by taking the following steps:
- Check the DPF List to verify that the US recipient is an active DPF participant.
- Confirm that the US recipient has signed up to the UK-US Data Bridge.
Currently, only US organisations that are subject to the jurisdiction of the US Federal Trade Commission (FTC) or US Department of Commerce (DoC) are eligible to participate in the UK-US Data Bridge. UK organisations wishing to send personal data to US organisations that are not FTC- or DoC-governed must continue to rely on the established transfer mechanisms for the time being.
As ever, UK organisations that participate in the UK-US Data Bridge should also ensure their privacy policies and documents are updated to accord with any changes in how they transfer personal data to the US.
The ICO released a statement outlining four concerns about the UK-US Data Bridge, including:
- Automated decisions. The UK-US Data Bridge does not provide a substantially similar right to the UK General Data Protection Regulation (GDPR) right for individuals to obtain human review of automated decisions which have legal or similarly significant effects. This could be significant as artificial intelligence comes to play a more decisive role in people’s lives.
- Data subject rights. The UK-US Data Bridge does not contain a substantially similar right to the UK GDPR right to be forgotten, nor an unconditional right to withdraw consent. This means that individuals do not have the same control of their personal data as they do when it is in the UK.
- Criminal conviction data. It is not clear what limits the UK-US Data Bridge places on the use of criminal conviction data when those convictions have become ‘spent’ under UK law, including the ability to request that the data is deleted.
- Sensitive data. UK organisations must identify sensitive data for US organisations when sending it, so that it will be treated as such under the UK-US Data Bridge, creating a risk that sensitive data may not be adequately protected in practice. Guidance from the UK government on this topic is expected to follow.
The DPF’s predecessor was invalidated in the EU by the Court of Justice of the European Union on account of invasive US surveillance programmes. Similar legal challenges likely await the DPF; for example, a French Member of the European Parliament has already asked the EU’s General Court to have the DPF suspended.
The UK-US Data Bridge is open to similar legal challenges brought through the UK’s legal system. UK organisations should therefore be mindful of this risk and maintain an alternative transfer mechanism as a fallback. You never know when the courts may decide to intervene – but we’ll make sure to keep you posted.