Why It’s Time to Unlock the Benefits of the UK-US Data Bridge

In late September, the UK government announced a new adequacy agreement with the US designed to enable more seamless cross-border data flows. In theory, it will ensure that the personal data of UK citizens stored by US companies will still retain the same level of GDPR protections as if it resided in the UK or EU countries. Perhaps more importantly for businesses, this so-called “UK-US data bridge” should help firms to reduce their compliance and regulatory burden.

What Is The Data Bridge?

The UK-US data bridge is, in effect, an extension of the new EU-US Data Privacy Framework (DPF), which itself is the successor of the EU-US Privacy Shield that EU courts struck down after the Schrems II ruling in July 2020. It aims to provide legal certainty for organisations wanting to transfer personal data covered by the GDPR and UK GDPR to the US in a manner fully compliant with EU and UK data protection laws.

It will replace more unwieldy methods for transferring data from the UK to the US, such as via the UK version of the standard contractual clauses, the International Data Transfer Agreement, or other “appropriate safeguards” outlined in the UK GDPR.

How Does It Work?

The new UK-US data bridge will work in an almost identical way to the EU-US DPF. In fact, US organisations must already participate in the DPF to be able to use the data bridge. It will become available from 12 October 2023, with hundreds of US firms already stating their intention to participate.

US organisations certified under the DPF can simply extend their certification to cover data transfers from the UK by selecting the relevant option via their online DPF account.

Some Exceptions

UK privacy regulator the Information Commissioner’s Office (ICO) has issued an opinion on the data bridge, which warns that certain categories of data aren’t treated as sensitive under the DPF. Therefore, the following must be highlighted to US organisations participating in the bridge that they should be treated as sensitive:

• Criminal offence data
• Genetic data
• Biometric data used to uniquely identify a person
• Data on sexual orientation

What Happens Next?

According to Osborne Clark, businesses looking to transfer personal data from the UK to the US should:

1. Understand how far existing arrangements with US firms could benefit from the new data bridge. That will require checking whether those US firms participate, or intend to, in the agreement and ensuring the data they transfer is covered.
2. Double-check and update privacy notices, records of processing and contracts.
3. Continue using the International Data Transfer Agreement or binding corporate rules where the UK-US data bridge isn’t possible.

Peter Church, TMT Counsel at Linklaters, argues that the data bridge will give UK firms a further incentive to deal with US service providers that have signed up.

“It allows UK businesses to automatically comply with the rules on international data transfers without the need for extra steps, such as carrying out a risk assessment. It also involves minimal additional effort by the UK business as the majority of the compliance burden falls on the US entity,” he tells ISMS.online.

“Having said that, there are a couple of quirks for UK businesses to look out for, such as the need to specifically identify genetic, biometric, sexual orientation and criminal information as sensitive and checking if the US entity has made specific HR commitments before transferring HR data.”

What Does It Mean For Businesses?

Other experts also welcome the new data transfer deal. Ieuan Jolly, Partner and Chair of Linklaters’ US TMT & Data Solutions Practice, argues that it will help to “unlock economic opportunities” and build stronger transatlantic ties by helping to align data protection standards. That’s good news for a UK economy said to be worth over £150bn annually and employing 1.7 million.

“The deal provides a level of legal certainty businesses have been yearning for. With clear guidelines and safeguards for the cross-border transfer of personal data, it will enable companies to plan and operate with more confidence. This newfound certainty is particularly vital for industries reliant on data-driven strategies, such as technology, e-commerce, and financial services,” he argues.

“The implications of this agreement for businesses are multifaceted. Firstly, it simplifies compliance efforts by offering a standardised framework for data transfers, reducing the regulatory burden on multinational corporations. Secondly, it encourages continued investment and expansion between the UK and the US, as companies can now navigate data privacy issues more seamlessly.”

Legal Challenges Ahead

It’s still unclear whether Schrems and his legal team will successfully challenge the original DPF. But the fact that the data bridge is merely an extension to the DPF would suggest it will only be valid for as long as the latter is.

“If the EU-US Data Privacy Framework were to be invalidated by the CJEU (again), US companies might well just abandon the scheme and the UK government may have to terminate the UK extension in order to preserve the UK’s adequacy status as regards the EU,” argues Church.

That’s why some may still want to hedge their bets, according to Osborne Clark: “Some businesses transferring personal data from the UK may still seek a belt-and-braces approach, relying on both the UK-US data bridge, as well an alternative transfer mechanism (such as the International Data Transfer Agreement addendum), particularly given the uncertainty around whether the EU-US Data Privacy Framework (and the UK extension to it) will withstand challenge,” it argues.