Bridging the gap – UK stands up data transfers “bridge” to the U.S.

On 12 October the UK–U.S. “data bridge” becomes operational, providing an additional, compliant route for UK-outbound transfers of personal data to U.S. organisations that are EU-U.S. Data Privacy Framework members. UK businesses and organisations will be able to make use of this “UK Extension to the EU-US Data Privacy Framework” to transfer personal data safely and securely to certified organisations in the U.S. from this date.

The EU-U.S. Data Privacy Framework (the DPF) was adopted In July 2023, offering a GDPR-compliant mechanism to transfer personal data from the EU to U.S. organisations who have self-certified to the DPF. The DPF is a replacement for the invalidated EU-U.S. Privacy Shield (which itself replaced the revoked EU-U.S. Safe Harbor program). The recent history of European personal data flows to the U.S. has been tumultuous, comprising a decade of legal challenges.

The establishment of the UK-U.S. data bridge required some legislative changes by both the UK and the United States.

The U.S. Attorney General, on 18 September, designated the UK as a ‘qualifying state’ under Executive Order 14086 (“Enhancing Safeguards for United States Signals Intelligence Activities”). This allows all individuals located in the UK whose personal data has been transferred to the U.S. (regardless of the transfer mechanism used) to access the newly established redress mechanism, if they believe their personal data has been accessed unlawfully by U.S. authorities for national security purposes.

The UK Secretary of State for Science, Innovation and Technology, Michelle Donelan determined that the UK extension to the EU-U.S. DPF did not undermine the level of data protection afforded to UK data subjects when their personal data was transferred to DPF members in the U.S.  This was on the basis that the DPF is deemed to offer sufficiently high standards of protection for UK-originated personal data. The Secretary of State accordingly took the decision, under Section 17A of the Data Protection Act 2018, to establish a data bridge with the United States by means of the “UK Extension to the EU-US Data Privacy Framework”. Adequacy regulations were laid in Parliament on 21 September 2023 to give effect to this decision.

For a U.S. organisation to be able to participate in the DPF, it needs to self-certify its compliance with a set of enforceable principles and requirements. These principles take the form of specific commitments to data protection and govern how an organisation may use, collect and disclose personal data. The DPF is administered by the U.S. Department of Commerce, with the U.S. Federal Trade Commission (FTC) overseeing enforcement of the DPF.  From 12 October a U.S. organisation that has self-certified and is publicly placed onto the Data Privacy Framework Program list can also opt in to the UK-U.S. data bridge and may then receive personal data from the UK.  The DPF is only available to organisations subject to the jurisdiction of the FTC or the U.S. Department of Transportation, which excludes most banks. Accordingly, the same exclusions apply to the UK-U.S. data bridge.

All bridges should ideally be built upon solid foundations (or frameworks). At the risk of striking a negative tone, there have already been vocal critics of the lawfulness of the DPF (an MEP has reportedly lodged a challenge before the Court of Justice of the EU).  The ICO also identified some concerns in its pre-adoption opinion of the Data Bridge (including around data subjects control over their data, automated decision making and spent criminal conviction data). For business-critical UK-U.S. transfers it may be prudent for the parties involved to consider how they might prepare for an agile switchover to an alternative transfer mechanism, if the adequacy recognition of the DPF (and therefore likely also the Data Bridge) was revoked.  The UK will continue to monitor the operation of the DPF to ensure that it works as intended in relation to UK data subjects and as part of the Department for Science, Innovation and Technology’s requirement to monitor data bridges.

If you would like to discuss any of the issues discussed, please contact Kate Brimsted or Geraldine Scali.