The UK-US Data Bridge (the "Data Bridge") has now come into effect, potentially simplifying transfers of personal data from the UK to the US.
On 12 October 2023, the Data Bridge took effect. The Data Bridge allows UK organisations to transfer personal data to US organisations that have self-certified to the EU-US Data Privacy Framework (the "DPF") without needing to implement additional safeguards, such as Standard Contractual Clauses (with a UK Addendum) (the "SCCs") or the UK's International Data Transfer Agreement (the "IDTA").
What is the Data Bridge, and what does it seek to address?
Chapter V of the UK's implementation of Regulation (EU) 2016/679 (the "UK GDPR") imposes a general prohibition on cross-border transfers of personal data to recipients located outside the UK, unless appropriate transfer mechanisms are implemented, or a derogation applies. There are several mechanisms available to UK organisations to overcome these restrictions – including where the Information Commissioner's Office (the "ICO") has determined that a jurisdiction provides an ‘adequate' level of protection for personal data transferred from the UK to that jurisdiction. Where the ICO has made this determination, personal data can flow freely to that jurisdiction without the transferor needing to implement additional safeguards (or rely on any applicable derogation) under the UK GDPR.
The US has twice previously been deemed adequate under the pre-Brexit EU GDPR regime. However, the Court of Justice of the EU (the "CJEU") has twice issued rulings that effectively invalidated those adequacy decisions. A central concern has been the degree of protection afforded to personal data in the US, which can be accessed by public agencies for law enforcement and national security purposes. Subsequently, the EU and the US negotiated the DPF. The DPF allows personal data to be transferred from the European Economic Area (the "EEA") to US organisations that have self-certified to the DPF, by providing additional safeguards and redress mechanisms to affected individuals (particularly where their data may be accessed by US intelligence agencies). For more information on the DPF, see our August alert here.
The Data Bridge functions as an extension of the DPF, allowing personal data to be lawfully transferred from the UK to self-certifying entities in the US. The Data Bridge provides affected individuals with similar safeguards and redress mechanisms to those set out in the DPF, thereby (in principle) ensuring that their personal data is still subject to an ‘adequate' level of protection once transferred to the U.S. Switzerland has also recently implemented a similar approach.
The Data Bridge is potentially beneficial for UK organisations conducting transatlantic data transfers, because:
i. it removes the need to implement additional safeguards, which can be complex, costly and time-consuming; and
ii. this largely harmonises transatlantic data transfer regimes by enabling entities in the UK and the EEA (and, once adequacy is formalised, Switzerland) to all use effectively the same mechanism for sending personal data to the US.
Practical Considerations
1) UK organisations cannot simply transfer personal data to any US recipient
For personal data to flow freely under the Data Bridge, the US recipient must be self-certified under both the DPF and the Data Bridge.
Note that not all US organisations are permitted to self-certify to the DPF – only U.S. organisations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation are currently eligible to participate. This generally excludes insurance, banking and telecommunications organisations.
The US recipient must also specifically elect to also participate in the Data Bridge.
A full list of organisations that have self-certified to the DPF and the Data Bridge can be found on the official DPF List.
2) Certain categories of personal data are subject to additional requirements
UK organisations should carefully review the types of personal data to be transferred to the US and consider whether these are covered by applicable restrictions under the Data Bridge.
Journalistic data (i.e. "Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives") cannot be transferred under the Data Bridge.
Additionally, certain special categories of data (in particular, genetic data, biometric data for the purpose of uniquely identifying an individual, and/or data concerning sexual orientation) and criminal offence data must be specifically identified as "sensitive" data in order to be transferred under the Data Bridge. UK organisations must therefore specifically highlight that these categories of data are sensitive and require additional protections when transferring any of them to a US recipient.
It is also advisable to check any privacy policies maintained by the US recipient (which can be found in their DPF record) to check whether the types of personal data being transferred are covered.
3) Updates to other compliance documentation may be required
When relying on the Data Bridge to transfer personal data to the US, UK organisations should implement corresponding updates to their data protection compliance documentation, such as:
- listing the Data Bridge as a relevant transfer mechanism in their privacy notices to comply with transparency requirements;
- updating their records of processing activities to accurately reflect which international transfers of personal data are subject to the Data Bridge; and
- listing the Data Bridge as the relevant transfer mechanism in any new data transfer agreements entered into with relevant US companies.
4) The Data Bridge may be challenged in the coming years
The DPF is highly likely to face legal challenges before the CJEU, on the basis that the DPF arguably does not do enough to protect EU citizens whose personal data are transferred to the US. This is perhaps unsurprising, given that the CJEU invalidated previous adequacy decisions on similar grounds.
It seems likely that any such challenges may take years to get through the European courts, and it remains to be seen whether similar challenges will be raised in the UK. However, the ICO has already issued an Opinion highlighting specific areas that could leave the Data Bridge open to challenge. As such, UK organisations should keep abreast of developments in this area, and should consider whether to rely on the Data Bridge, or continue to use other data transfer mechanisms (e.g. SCCs or the IDTA) when transferring personal data to the US, so as to avoid the risk that the Data Bridge is later invalidated by the courts.
White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.
This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.
© 2023 White & Case LLP