There's a new way for UK businesses to transfer personal data compliantly to the US. A newly established data bridge, an extension to the EU-US Data Protection Framework (DPF) adopted in July 2023, enables organisations in the UK to transfer personal data to organisations in the US that have certified to the DPF, without putting in place further safeguards, such as standard contractual clauses (SCCs), or carrying out a transfer risk assessment.

What is the UK-US Data Bridge?

In July 2023, the European Commission adopted its adequacy decision for the DPF (see our briefing here), which enables EU organisations to transfer personal data to US organisations that have self-certified their participation in the DPF. On 21 September 2023, the UK Government laid adequacy regulations before Parliament to extend the DPF to data transfers from the UK to the US. The US Attorney General has also designated the UK as a qualifying state under an Executive Order that allows UK data subjects to access the Data Protection Review Court for redress if they consider that their data has been processed by US authorities unlawfully for national security purposes.

This means that, with effect from 12 October 2023, UK organisations can transfer personal data compliantly to US organisations that have signed up to the DPF, without the need for SCCs and a transfer risk assessment.

Will the UK-US Data Bridge work for transfers to all US organisations?

No, it only applies to transfers to US organisations who have been certified to the DPF. Moreover, only US organisations that report to the US Federal Trade Commission or the US Department of Transportation are eligible to certify to the DPF. This excludes organisations such as banking, insurance, and telecommunications companies.

There are special rules for certain types of data under the UK-US Data Bridge

Depending on the type of data that is to be transferred, there are a few things to bear in mind and additional steps you may need to take to ensure that data subjects' protections aren't impacted upon transfer:

Depending on the type of data that is to be transferred, there are a few things to bear in mind and additional steps you may need to take to ensure that data subjects' protections aren't impacted upon transfer:

  • Journalistic data cannot be transferred under the UK-US Data Bridge.

  • Genetic data, biometric data for identification, criminal offence data and data concerning sexual orientation must be expressly identified to the US recipient as "sensitive" data when it is shared.

  • If HR data is to be shared, the US recipient organisation needs to have indicated that they can receive such data under their certification to the DPF.

What's the ICO's view of the UK-US Data Bridge?

The UK Information Commissioner has given qualified assurance: while he considers it reasonable for the Secretary of State to conclude that the UK-US Data Bridge affords an adequate level of protection, he has identified four main risks (see below) to the protection of data subjects, in relation to which he urges the UK Government to monitor and check that the Data Bridge works to offer adequate data protection in practice.

ICO's suggested areas for improvement

The ICO has identified the following four shortcomings of the UK-US Data Bridge:

  • The lack of a legal requirement to identify certain special category data as "sensitive", despite this being necessary to provide equivalent protection for this information.

  • The treatment of criminal offence data – there are no equivalent provisions to those that protect data subjects in the UK in relation to spent convictions under the UK's Rehabilitation of Offenders Act 1974.

  • The UK-US Data Bridge does not protect individuals against solely automated processing which would produce legal effects for them (which is becoming increasingly important given the explosion in the use of AI).

  • It does not provide the same degree of control to individuals over their personal data in relation to the right to be forgotten or the right to withdraw consent as they have in the UK.

What happens if the DPF is successfully challenged?

It is also currently unclear how the UK-US Data Bridge will be affected by the outcome of any future challenges to the DPF. Max Schrems has already threatened to challenge it and he will not be first out of the blocks - the Court of Justice of the European Union has recently rejected the request of a French member of Parliament to suspend the DPF. Given the UK-US Data Bridge acts as an extension to the DPF, it seems likely that any successful legal challenge to the DPF could also invalidate the UK-US Data Bridge too.

What practical steps can you take?

If you are considering relying on the UK-US Data Bridge:

  • Confirm that the recipient US organisation is fully certified to the DPF and that they have signed up to the UK Extension on the DPF website. If the transfer includes HR data, also check through that website and the recipient's privacy policy (to which it links) whether they are covered for HR data.

  • Expressly identify relevant biometric, genetic, sexual orientation and criminal offence data as "sensitive".

  • Update your privacy policies and records of processing to reflect any changes in how you transfer personal data to the US.

  • If you already have established processes in place using other transfer mechanisms, such as SCCs, you may choose to continue to use those, or at least to keep them as a fall-back option, in view of the uncertainty around the long-term validity of the UK-US Data Bridge but then reference the UK-US Data Bridge, and the framework that underpins it, as part of associated transfer risk assessments.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.