The UK and U.S. Governments have now formalized the UK-U.S. Data Bridge. The U.S. Attorney General designated the UK as a “qualifying state” for the purposes of the Executive Order 14086 on September 18, 2023, and the UK regulations implementing the Data Bridge are scheduled to take effect on October 12, 2023. From October 12, 2023, the Data Bridge will therefore operate as an extension of the EU-U.S. Data Privacy Framework (DPF) to enable the unrestricted movement of personal data between the UK and certified U.S. entities. For more information about the DPF, see our earlier briefing here.
The Data Bridge serves as a partial adequacy decision under the UK GDPR and offers U.S. organizations certified under the DPF the opportunity to extend their certification to include UK personal data. This essentially streamlines the process of transferring data between these two jurisdictions, reducing administrative hurdles such as the need to implement the UK International Data Transfer Agreement (or the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs)).
The Data Bridge is not a carte blanche for UK organizations to transfer personal data to any recipient in the U.S. Instead, it lays out specific criteria that must be met for data to flow freely. The key points can be summarized as follows:
- The recipient in the U.S. must be certified under the DPF, which is currently open to U.S. organizations subject to the jurisdiction of either the U.S. Federal Trade Commission (FTC) or the U.S. Department of Transportation (DoT).
- The U.S. recipient should therefore appear on the DPF List which will indicate whether they have also certified for the UK extension. Note that not all DPF participants will have made this election and U.S. organizations that are currently certified under the DPF should consider whether they wish to add this to their existing certification.
- Special category data, criminal offence data, and other more sensitive data can generally be shared with U.S. organizations certified under the Data Bridge. However, the data must be correctly identified as such by UK organizations when it is being shared as there are inconsistencies between the special categories of personal data identified by Article 9 UK GDPR, and the categories of information designated as sensitive under the Data Bridge. Organizations should therefore carefully consider the data they wish to share under the Data Bridge and ensure their transfers are documented accordingly.
In cases where organizations cannot rely on the Data Bridge to transfer personal data to the U.S., they will need to resort to pre-existing appropriate safeguards (such as SCCs or binding corporate rules (BCRs)) or make use of the available derogations under Article 49 UK GDPR. These alternatives ensure that UK-U.S. transfers are still possible where a U.S. organization does not qualify for the Data Bridge (e.g., because it is not subject to the jurisdiction of the FTC or DoT), has otherwise decided not to self-certify, or if the DPF and/or the Data Bridge is challenged and ultimately invalidated by the courts.
Further, should an organization look to utilize the Data Bridge and/or the DPF, given it is likely that they will be challenged, they would be advised to maintain any SCCs contained in existing agreements and incorporate them in future agreements as a fallback position in the short- to medium-term, at least.
The UK regulator for data protection matters, the Information Commissioner’s Office (or ICO), has issued an opinion in relation to the Data Bridge in which it flagged four key areas of risk that must be monitored, namely: (i) the definition of sensitive information under the Data Bridge and the lack of complete overlap with Article 9 UK GDPR (as discussed above); (ii) differences in approach to criminal offence data in the UK and U.S.; (iii) the lack of an equivalent right in the U.S. not to be subject to decisions based solely on automated processing; and (iv) a reduction in the level of control that data subjects have in relation to their personal data when transferred under the Data Bridge. These should be monitored by UK exporters on an ongoing basis to ensure the Data Bridge continues to provide an adequate level of protection for personal data.
For more information about the Data Bridge, for help understanding how it could impact your organization, or for assistance in certifying under the DPF and Data Bridge (or adding the Data Bridge to your organization’s existing DPF certification) please reach out to a member of Pillsbury’s Data Protection & Privacy team or your usual Pillsbury contact.