Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

International: The UK-US Data Bridge - what is it and how can organizations use it?

From October 12, 2023, businesses have been able to use the new UK-US Data Bridge, a partial adequacy decision covering in-scope US organizations that have self-certified under the UK-US Data Bridge, to make transfers of personal data from the UK to the US. For many UK and US businesses, this has been an important and much-needed addition to the EU-US Data Privacy Framework (EU-US DPF) which had already been available for businesses to use for transfers of personal data from the EU to the US since July 2023. Jonathan McDonald and Emily Barwell, from Osborne Clarke, provide an overview of the UK-US Data Bridge and what it covers, as well as a look at other UK transfer mechanisms.

Blue Planet Studio / Essentials collection / istockphoto.com

Background

Following the much-discussed Schrems II ruling back in July 2020, the Privacy Shield (the previous partial-US adequacy decision) was invalidated and could no longer be relied upon to make lawful transfers of personal data from the EU (which pre-Brexit exit had included the UK) to the US. This left many businesses and other organizations with a sudden barrier to their data sharing activities.

The ruling had wide-reaching implications for transfers to the US, leaving considerable legal uncertainty, particularly to those businesses on either side of the Atlantic that had set up often complex data flows in reliance on the Privacy Shield framework and now found themselves scrambling around for an alternative transfer mechanism to rely upon instead. The obvious and, in many cases, the only alternative for such businesses was to rely on the Standard Contractual Clause mechanism (SCCs) under the General Data Protection Regulation (GDPR), but relying on this mechanism not only required additional legal and administrative time and resources but was also subject to uncertainty given that many of the issues that had meant the EU-US Privacy Shield was struck down also applied to the SCCs.

Then, on July 11, 2023, the new EU-US DPF went live (eliciting a sigh of relief from many data privacy practitioners!). It was billed as a 'new and improved' replacement to the Privacy Shield, coming with additional protections for EU citizens under US national security procedures along with redress mechanisms in the event that EU citizens' privacy rights were infringed. Of key importance, like the Privacy Shield, it remains a self-certification regime, meaning that the application process is quick and easy (notwithstanding the public commitments and behind-the-scenes actions an organization also needs to take to implement the framework properly) and the authorities responsible for administering the regime will only take a substantive interest in an organization's compliance activities if, in due course, something goes wrong.

Why did the UK need a separate data bridge?

Whilst the UK had benefitted from the Privacy Shield, it did not directly benefit from the newly agreed EU-US DPF. This was because, on January 1, 2021, the UK formally left the EU, meaning that it was not included in the EU-US DPF. However, upon the agreement of the EU-US DPF, it was anticipated that the UK would be able to add an extension so companies dealing with UK personal data could benefit from the arrangement.

How can companies use the new UK-US Data Bridge?

The good news for those businesses who are interested in relying on the UK-US Data Bridge is that it works in a similar way (and in some respects 'piggy-backs on') the EU-US DPF, making it relatively straightforward for US organizations to sign up for both transfer mechanisms.

A US business wishing to participate in both the EU-US DPF and the UK-US Data Bridge can apply for both at once through the self-certification mechanism on the Data Privacy Program website. This requires the business to commit to adhering to the principles of both frameworks (as well as providing relevant registration information, submitting a draft copy of its privacy notice referring to the DPF/Data Bridge, and paying the applicable fee). If the business is already part of EU-US DPF but now wishes to broaden this to include the UK-US Data Bridge it can change its election to include the UK-US Data Bridge as part of the annual renewal process. There was also an additional window for organizations who had already signed up to participate in the EU-US DPF to add the UK element to their certification, but the deadline for this passed in mid-October 2023.

In terms of other public-facing actions, in addition to self-certifying on the DPF website, as alluded to above, US businesses will need to change their privacy notices to indicate that they are relying on this transfer mechanism. UK businesses will also need to amend their privacy notices to indicate that they are transferring personal data on this basis. In addition, UK businesses will need to undertake their own due diligence to satisfy themselves that the recipients of the personal data are participants under the EU-US DPF and have signed up for the UK-US Data Bridge extension.

As well as the EU-US DPF and the UK-US Data Bridge, the new framework and website are preemptively set up to allow a US business to extend its registration to include transfers under the new Swiss-US Data Privacy Framework (the Swiss-US DPF). Like the UK, Switzerland is not part of the EU and therefore did not automatically benefit from the EU-US DPF. The effective date of the Swiss-US DPF was actually the same as the EU-US DPF (July 17, 2023, notably much earlier than the UK-US Data Bridge). However, personal data cannot yet be transferred from Switzerland in reliance on the Swiss-US DPF until Switzerland itself recognizes the framework as adequate. At the time of writing, adequacy has not yet been granted by the Swiss authorities.

Does this cover all personal data sent to the US from the UK?

It is important to note that there are some cases where it won't be possible to use the UK-US Data Bridge for transfers of personal data to the US. First and foremost, this will be the case where the US recipient of the personal data has either not signed up to the EU-US Privacy Framework or they have not signed up to include the US-UK Data Bridge. Secondly, there are also some types of personal data that are either excluded from being transferred under the EU-US DPF completely or need additional steps to be taken before the personal data can be transferred. This covers some special categories of data, criminal offense data, or data that is covered by the journalistic exemption under the GDPR/UK GDPR.

If businesses cannot use the UK-US Data Bridge, they will need to ensure they are using a different transfer mechanism or an exemption for transferring personal data to the US. This could include the UK's international data transfer addendum (the UK Addendum) to the EU SCCs, the UK's stand-alone international data transfer agreement (UK IDTA), pre-GDPR EU SCCs (where a business has historic data-flows that were entered into in reliance on the pre-GDPR EU SCCs prior to September 2022), or UK Binding Corporate Rules (BCRs).

A word on other updates to UK transfer mechanisms

As mentioned above, the UK-US Data Bridge is not the only transfer mechanism available for transfers of personal data from the UK to the US. The UK introduced the UK Addendum and the UK IDTA in March 2022. Both are valid and useful transfer mechanisms with the UK Addendum particularly widely used as it allows businesses to 'piggy-back' on measures taken in relation to the EU to also cover data flows from the UK (essentially in the same way as the UK-US Data Bridge allows). This concept of UK transfer mechanisms that piggyback on their EU equivalents is one that the UK authorities have been keen to introduce. In October 2023, the UK Information Commissioner's Office (ICO) announced the forthcoming introduction of a UK BCR Addendum, to complement and widen the scope of EU BCRs to cover UK data transfers. Post-Brexit, EU BCRs no longer covered the UK, requiring businesses that wished to rely on BCRs for both the EU and the UK to have near-identical but still different frameworks in place. Recognizing the negative aspects of this situation (as well as the time it was taking for businesses to have their UK BCRs approved by the ICO), the UK has sought to streamline the UK BCR regime with the introduction of a UK Addendum. At the time of writing, the UK BCR Addendum has not been formally launched, but it is expected shortly.

As a final word, if a business currently relies on the pre-GDPR SCCs to transfer personal data from the UK to the US (or the RoW) (see above), it may continue to do so until March 21, 2024, after which the pre-GDPR SCCs will no longer apply for the UK and an alternative transfer mechanism will be required.

Is the new UK-US data bridge here to stay?

The EU-US DPF is already seeing legal challenges on the basis that it does not do enough to protect EU citizens whose personal data is transferred to the US. Indeed, such a challenge has already been brought by a French MEP (in a personal capacity), asserting that the adequacy decision did not do enough to protect the right to a private life under the Charter of Fundamental Rights. The French lawmaker had requested an immediate suspension of the EU-US DPF, which has since been denied by the Court of Justice of the European Union. It is also anticipated that a challenge is likely to be brought by Max Schrems (the privacy advocate who had challenged the previous two EU-US transfer mechanisms) and his privacy organization.

In the event that a challenge to the EU-US DPF is successful, or the European Commission reverses its approval of the framework, it is not clear whether the UK-US Data Bridge would also be invalidated. There are arguments both for and against whether it would be likely to continue.

Given that a US business must participate in the EU-US Data Privacy Framework to be able to participate in the UK-US Data Bridge, there is an argument to suggest that the UK-US data bridge will only remain valid where the EU-US DPF remains valid. However, since the UK is not part of the EU, there is a possibility that it would take an alternative approach. If an organization has still satisfied all the conditions for the UK-US Data Bridge, even where the EU-US DPF is declared invalid, the UK could argue that it is not dependent on the EU Commissioner's approval for the use of the UK-US Data Bridge. In such a situation, US organizations would still be subject to the same certification regime regardless of whether it is deemed acceptable for international transfers in the eyes of the EU (noting that even when the Data Shield was invalidated, US organizations could remain registered with the US side of the framework even though such registration no longer served any purpose).

A decision for the UK to depart from alignment with the EU on US data transfers would likely have political implications, and in the event that the EU-US DPF is declared invalid, businesses will need to await guidance from the ICO regarding whether the UK-US Data Bridge could continue to be relied upon.

Conclusion

The UK-US Data Bridge is a welcome addition to the EU-US DPF, since it allows both UK businesses to benefit from easier data flows to the US, as well as helping US businesses consolidate their approach to personal data transfers from both the EU and UK. However, businesses need to keep a watchful eye in this space since legal challenges to the EU-US DPF could affect both the EU and the UK. Given the uncertainty on how long the new framework can be relied upon, it is not uncommon for businesses to take a 'belt and braces' approach by using both the new transfer mechanisms as well as SCCs (and/or the UK Addendum/IDTA) for the UK.

Jonathan McDonald Partner
[email protected]
Emily Barwell Senior Associate
[email protected]
Osborne Clarke, London and Washington