On 21 September 2023, the UK government announced the UK Extension to the EU-US Data Privacy Framework (DPF), i.e., the US-UK data bridge (Data Bridge). The Data Bridge will go live on 12 October 2023 and will enable UK organisations to transfer personal data to organisations in the US that have certified compliance with the DPF. For more information on the DPF and the EU’s related adequacy decision, read our blog post here.
Below are the key takeaways on the Data Bridge:
What is the Data Bridge?
The Data Bridge is the UK Extension to the existing DPF that facilitates cross-border transfer of personal data in compliance with the GDPR and the UK GDPR. The Data Bridge will allow UK organisations to transfer personal data to US organisations that have certified to the DPF with respect to the personal data they receive from the UK. without the need to put additional safeguards in place.
Who can Rely on the Data Bridge?
To rely on the Data Bridge, companies that have already certified to the DPF and are on DPF List, need to opt in to the UK Extension. Only organisations that fall under the jurisdiction of the US Federal Trade Commission or US Department of Transportation are eligible to participate. This means that some of the organisations in sectors such as banking, insurance, and telecommunications are excluded for consumer data, but can still participate in the Data Bridge to cover transfers of their own HR data.
Which Types of Personal Data can be Transferred Under the Data Bridge?
The Data Bridge can be used to transfer all types of personal data, including sensitive data. However, as the DPF does not mirror the UK General Data Protection Regulation definition of sensitive data, organisations should clearly label sensitive data to ensure it will be adequately protected. The DPF and the Data Bridge do not apply to journalistic data.
When can Organisations Start Relying on the Data Bridge?
The Data Bridge formally opens on 12 October 2023, when UK organisations can begin transferring UK personal data to US organisations that have certified to the DPF an opted into the Data Bridge. Prior to that, organisations relying on the Data Bridge will need to update their privacy documentation, such as external and internal privacy policies and records, to ensure these new transfer safeguards are accurately reflected.
Does the Data Bridge Have an Effect on Other UK Transfer Mechanisms?
No. Organisations may continue to rely on other transfer mechanisms such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum appended to the European Commission–approved standard contractual clauses to transfer personal data to the US. The IDTA and the UK Addendum still require a transfer impact assessment (TIA). However, completing a TIA will now be less complex. This is because the enhanced US privacy protections that were enacted to support the DPF also apply to transfers made under the IDTA and the UK Addendum. Such protections support the TIA’s analysis of US laws for ensuring “essential equivalency” with UK data protection requirements.
What Happens to the Data Bridge if the EU Courts Were to Invalidate the DPF?
As there has already been an EU challenge, there is a possibility UK privacy groups may mount their own challenge to the Data Bridge. However, any challenge will likely take years to reach the courts.
It is not clear whether the Data Bridge would also be invalidated in the event of a successful challenge to the DPF or if the European Commission reverses its approval of the DPF. Of course, the UK has now left the EU, so any successful EU challenge will not have a direct impact in the UK. But as the Data Bridge is an extension of the DPF and US organisations must certify to the DPF to be able to participate in the Data Bridge, the Data Bridge could indirectly be affected.
For assistance with signing up to the DPF and advice on implementing appropriate data transfer tools, please contact our Data Privacy & Cybersecurity team.