UK-US Data Bridge: What You Need To Know
Key Contact: Declan Goodwin
Author: Adam Munn
The UK government has announced a new data flow agreement with the US, which will allow UK businesses to transfer personal data to the US more easily.
The agreement, known as the UK-US Data Bridge, is an extension of the EU-US Data Privacy Framework (DPF), which was finalised in July 2023. The DPF is a voluntary certification scheme for US organisations that meet certain data protection standards. You can read more about the DPF in our earlier article, published here.
The UK-US Data Bridge allows UK organisations to transfer personal data subject to the UK General Data Protection Regulation (UK GDPR) to participating US organisations without the need to (i) put in place further safeguards, for example, the UK’s international data transfer agreement or the EU’s standard contractual clauses and the UK Addendum and (ii) carry out a transfer risk assessment.
To participate in the UK-US Data Bridge, US organisations must first participate in the EU-US DPF and comply with its principles. Once a US organisation has been certified and is publicly placed on the DPF List on the DPF website, they can receive UK personal data through the UK-US Data Bridge.
The UK-US Data Bridge will come into force on 12th October 2023.
What should UK companies do now?
Before sending personal data to the US, UK companies must confirm that the recipient is certified with the DPF. They can do this by going to the DPF List and searching for the organisation.
In addition, UK companies should check whether they need to update their own documents to reflect their reliance on the UK-US Data Bridge e.g. privacy policy, records of processing and data sharing agreements.
Who is eligible to participate in the DPF programme?
Currently, only US organisations that are subject to the jurisdiction of the US Federal Trade Commission (FTC) or the US Department of Commerce (DOC) are eligible to participate in the DPF programme. This means that US organisations in sectors such as banking, insurance, and telecommunications, which are not subject to the jurisdiction of either the FTC or DOC, are not currently eligible to participate in the DPF programme.
The US government has stated that it is working to expand the eligibility criteria for the DPF programme, but it is unclear when this will happen. In the meantime, UK organisations that need to transfer personal data to US organisations that are not certified under the DPF will need to rely on other safeguards, such as standard contractual clauses or binding corporate rules.
Conclusion
The UK-US Data Bridge is a welcome development for UK businesses that need to transfer personal data to the US. It provides a streamlined and more efficient way to make these transfers, while still maintaining a high level of data protection.
UK companies should take the time to review their privacy policies and data processing activities to ensure that they are in compliance with the requirements of the UK-US Data Bridge.
For more information on the UK-US Data Bridge and/or assistance in reviewing and updating your documents, please get in touch with our Commercial and Technology Team.
