Search

How can we help?

Icon

New UK-US data bridge for transfers of personal data

A new data bridge, which is an extension of the EU-US Data Privacy Framework (“the DPF”), will enable UK businesses to transfer personal data to certified US organisations without the requirement of having the usual safeguards in place or performing a transfer risk assessment. This data bridge came into force on 12 October 2023.

Background

On 10 July 2023, the European Commission adopted an adequacy decision in respect of the DPF where US businesses could certify themselves with the DPF which would involve such businesses having to comply with similar provisions as set out in the GDPR. Provided such measures are in place where the US organisation is then publicly placed onto the Data Privacy Framework List (“DPF List”), this would then enable transfers of personal data to be freely made between the EU and US without the need for businesses to adopt usual safeguards and undertaking a transfer risk assessment.

The UK Government then later published the Data Protection (Adequacy) (United States of America) Regulations 2023 for the UK Extension to the EU-US Data Privacy Framework. These regulations state that the US is an “adequate country” for data transfer purposes from the UK, under the UK GDPR and Data Protection Act 2018.

What is the significance of this data bridge?

This data bridge should result in personal data transfers between the UK and the US being less time-consuming and burdensome for businesses, however where this has only recently been implemented, some caution should be taken if businesses seek to rely on this data bridge. For example, there has been discussion of challenge which could affect the validity of the data bridge. It has only recently been implemented so some time will be required to test its validity. It may be best for organisations to consider some “back up” processes, for example, having the Standard Contractual Clauses or International Data Transfer Agreement in place, in case the DPF is removed.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

This data bridge should result in personal data transfers between the UK and the US being less time-consuming and burdensome for businesses.

Fact sheet issued by the UK Government

A fact sheet has been issued by the Department for Science, Innovation and Technology (“DSIT”) which includes the following key points:

  • Only US organisations subject to the jurisdiction of the US Federal Trade Commission (“FTC”) or US Department of Transportation (“DoT”) are currently eligible to participate in the DPF programme. Those organisations not subject to the jurisdiction of either the FTC or DoT – for example, banking, insurance, and telecommunications companies – are unable to participate in the DPF programme at this time.
  • For special category and sensitive personal data, which is not covered by the DPF –genetic data; biometric data for the purpose of uniquely identifying a natural person; and data concerning sexual orientation – this must be appropriately identified as sensitive to US organisations if being transferred via the data bridge.
  • Where criminal offence data is going to be shared under the UK-US data bridge, as part of HR data, US organisations are required to indicate that they are seeking to receive such data under the DPF.
  • Before a UK organisation sends personal data in this way to the US, it must confirm that the recipient is certified with the DPF (and when transferring HR data specifically, US organisations must have highlighted this on their certification).

Key takeaways

If organisations wish to rely on this data bridge, we would recommend that the following steps are taken:

  • Ensure that the US organisation that you wish to send personal data to via this data bridge is an active DPF participant where a public DPF list is accessible on the data privacy framework website.
  • Ensure that this US organisation is also signed up to the UK Extension to the EU-US Data Privacy Framework program.
  • Review the US organisation’s privacy policy linked to their DPF account to ensure that the personal data you seek to transfer is covered by this.
  • Keep an eye out for any challenges to the DPF as UK organisations may also want to have a back-up process for transferring personal data in case the DPF is considered to be inadequate. For example, Schrems’ privacy organisation, NOYB, has indicated that it may challenge the DPF.

If you any advice in relation to international data transfers, please do not hesitate to contact our data protection lawyers.

About this article

Disclaimer
This information is for guidance purposes only and should not be regarded as a substitute for taking legal advice. Please refer to the full General Notices on our website.

Melanie Pimenta

Associate

View profile

+44 118 960 4653

About this article

Read, listen and watch our latest insights

art
  • 12 September 2024
  • Privacy and Data Protection

2024 in review: tracking key data protection developments

As we approach the final quarter of 2024, it’s an opportune moment to revisit the data protection trends and developments that were anticipated at the end of 2023. Now, let’s see how those predictions have played out.

art
  • 02 September 2024
  • Employment

Social Media – how private is your personal data

Nowadays most people have at least one social media account. Whether it’s Facebook or TikTok, X, or LinkedIn, most adults have an online presence.

art
  • 29 August 2024
  • Privacy and Data Protection

What a controller or a processor needs to know…in a nutshell

Data processing agreements are a common feature of contracts for the supply of services, for example often featuring as self-contained schedules to master services agreements.

Pub
  • 20 August 2024
  • Privacy and Data Protection

Data Protection unlocked for HR: How to ensure compliance?

In the second episode of the ‘Data Protection Unlocked for HR’ podcast series, Harry Berryman and Shauna Jones, members of the Clarkslegal data protection team, share invaluable insights on how HR can ensure compliance, safeguard employee data, and maintain privacy standards.

art
  • 14 August 2024
  • Privacy and Data Protection

Data protection audit – what you need to know

A data protection audit is the process of auditing all of your data protection processes and procedures to understand your current levels of compliance and identify any areas for improvement.

art
  • 05 August 2024
  • Employment

AI and Recruitment

To assist employers who are using, or considering the use of, AI in recruitment, we have put together a summary of the key risks that employers should be aware of.