UPDATE: The UK-US Data Bridge is now in force

Following our update on 15 June, the UK-US Data Bridge (Data Bridge) came into force on 12 October 2023 – but what does this mean for your business?

What is the UK-US Data Bridge?

The Data Bridge is a vehicle that allows UK companies to transfer personal data to US companies without the need for additional safeguards – such as the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (ITDA), or a transfer risk assessment.

How will the Data Bridge operate?

It is important to note that the Data Bridge does not create a blanket right to transfer data from the UK to the US. Organisations looking to use the Data Bridge as a transfer mechanism must comply with a number of conditions, such as:

• Only transferring data to US companies that are registered to the Data Privacy Framework (DPF) (which excludes companies in industries such as banking, insurance, and telecommunications).
• Expressly marking certain data as “sensitive”, such as genetic data, biometric data for identification, criminal offence data and data concerning sexual orientation.
• Complying with certain rules around HR data being shared and received.

Provided the specific rules and regulations are complied with, personal data can be transferred freely between the UK and the US.

How do I know if an organisation is registered to the DPF?

The DPF operates on a “self-certification” basis whereby US companies publicly commit to comply with the DPF principles. You can find a list of the registered companies here.

It should be noted however that although an organisation may be registered on the DPF website, this does not necessarily mean that it is compliant with the relevant principles. You should conduct due diligence on each US entity to which you plan to transfer data to ensure its compliance.

Potential challenges

A number of activists have criticised the EU-US Data Bridge (which operates in the same way as the UK-US Data Bridge) on the grounds that it does not provide appropriate safeguards to personal data, in particular reference to data protection laws in the US.

One activist is Max Schrems, who was responsible for the Schrems II decision, which lead to additional safeguards being implemented in cross border data transfer (see here for more information). Schrems has presented several challenges to the Data Bridge which could bring into question how long it will be in force.

Steps your organisation should take

If you are considering utilising the Data Bridge for data transfers to the US, you should:

• Check that the US organisation is registered on the DPF website, as well as any limitations or permissions you may need for transferring certain types of data;
• Conduct further due diligence on the recipient to ensure that their practices align with the DPF principles;
• Ensure you comply with the requirements of the DPF, for example by expressly marking certain data as “sensitive” where appropriate;
• Ensure that the people whose data you process are aware that you are using the DPF (for example by including this in your privacy policy); and
• Due to the potential challenges with the Data Bridge, keep your previous contracts as a failsafe (e.g., where you have used the SCCs, Addendum or ITDA). You may also wish to continue using these mechanisms despite the introduction of the Data Bridge.

Next Steps

If you are wanting to transfer data to the US and you would like to discuss the content of this article or any other concerns you may have, please:

Book a 30-minute FREE Consult; or fill in the form below requesting a call back from Haroon Younis, Partner & Head of Commercial.

Please note that this information is for general guidance only and should not substitute professional legal advice. If you have specific concerns, we recommend consulting one of our legal experts.