Personal Data Transfers: UK-US Data Bridge Opens on 12 October

The UK-US data bridge (the “Data Bridge”) will formally open on 12 October 2023. This will provide a new lawful safeguard for UK organisations to transfer personal data to certified organisations based in the US.

Requirements for International Data Transfers

The General Data Protection Regulation (GDPR) (and UK GDPR in the UK) prohibits personal data transfers to countries outside of the EU/UK unless adequate safeguards are in place. One such safeguard is an adequacy decision (Article 45 UK GDPR); the European Commission adopted an Adequacy Decision for EU-US Data Transfers on 21 July 2023, under the EU-US Data Privacy Framework (the “Framework”), and the Data Bridge is the UK’s extension to this.

The Data Bridge permits the transfer of personal data between the UK and US if the transfer is to a US organisation listed on the EU-US Data Privacy Framework. Any transfer of personal data covered by the UK GDPR will then be subject to the Framework.

The Framework outlines commitments to privacy obligations that US businesses must agree to when receiving EU individuals’ personal data. As a result of the Data Bridge, these commitments will apply equally when receiving UK individuals’ personal data. US businesses signed up to the Framework do not need to put into place additional transfer safeguards.

Next Steps

If relying on the Data Bridge, UK organisations must first check the recipient US organisation is listed as participating in the Framework. Some sectors cannot join (for example, banking, insurance, and telecoms organisations).

If an organisation cannot rely on the Data Bridge to transfer personal data to the US, one of the pre-existing appropriate safeguards will need to be used (e.g., the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses), or any available derogation under Article 49 UK GDPR. Organisations should also carry out a transfer risk assessment to validate the transfers.

The Data Bridge replaces the Privacy Shield, which was invalidated through the Schrems II litigation. While the ICO’s published opinion states that the Data Bridge provides an adequate level of data protection, there will likely be legal challenges. For example, privacy interest groups in the UK may well challenge the Data Bridge.

Organisations sharing personal data with organisations in the US under the Data Bridge should review their privacy policies and notices and update them to include information on the Data Bridge. If you have any questions on transferring personal data internationally, please contact our Data Privacy team.