Ever since the Privacy Shield was declared invalid in the Schrems II case, there was no specific agreement or framework in place between the EU and the US to facilitate data transfers. In July 2023, the European Commission adopted the EU-US Data Privacy Framework, which helps facilitate data transfers between the EU and the US. You can read more about it here.
Due to the UK’s recent exit from the European Union, a special solution was needed. Hence, The UK Extension to the EU-US Data Privacy Framework (aka Data Bridge) was created to resolve the uncertainty and facilitate seamless data transfers.
The Data Privacy Framework is an adequacy decision of the European Commission which concludes that U.S. vendors participating in the framwork, ensures an adequate level of protection for personal data.
What is the UK-US Data Bridge?
The Data Bridge entered into force on October 12, 2023, allowing certifying entities to transfer personal data from the UK to the US easily.
By extending the EU-US Data Privacy Framework, the UK’s Secretary of State established a data bridge with the United States. This extension is called the UK-US Data Bridge. This means that by following the certification process included in the Data Privacy Framework, UK companies can now transfer personal data to the United States.
Data Bridge allows organizations in the U.K. to transfer personal data to U.S. organizations that adhere to the “U.K. Extension to the EU-US Data Privacy Framework” without requiring additional safeguards, such as the U.K. version of EU standard contractual clauses or binding corporate policies.
How does the UK-US Data Bridge work?
The EU-US Data Privacy Framework is an opt-in certification scheme for US companies, enforced by the Federal Trade Commission (FTC) and Department of Transportation (DoT) and administered by the Department of Commerce (DoC).
Organizations must be certified to comply with a set of enforceable principles and requirements in order to be eligible to join the Data Privacy Framework. Data protection principles govern how a company uses, collects, and discloses personal data and are expressed in the form of commitments. US organizations who have been certified to the Data Privacy Framework can opt-in to receive data from the UK.
Once a US organization has been certified and is publicly placed on the Data Privacy Framework List on the DPF website, it can receive UK personal data through a UK-US data bridge.
UK-US Data Bridge – Challenges
DPF and UK-US Data Bridge have been criticized by both the Information Commissioner’s Office (ICO) and privacy activists. According to the ICO, UK data subjects may face risks if the safeguards identified are not properly applied in the UK-US Data Bridge Regulations.
Several potential issues are identified with the UK-US Data Bridge, including:
- The UK-US Data Bridge does not contain substantially similar rights to the UK GDPR’s such as the right to be forgotten, the right to withdraw consent, and the right to obtain a review of an automated decision by a human.
- The definition of ‘sensitive information’ under the UK-US Data Bridge does not specify all the ‘special categories of personal data’ of the UK GDPR.
Hence, your organization must highlight the data as “sensitive” before the transfer to ensure it receives appropriate protections under the DPF. This will include: genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning sexual orientation.
Implications of the UK-US Data Bridge
Up until now, transfers from the UK to the US required organizations to conduct a transfer impact assessment (TIA), which includes considerations of the circumstances of the transfer, the chosen alternative transfer mechanism, and the relevant protections.
Among the prime benefits of the UK-US Data Bridge, which is based on the DPF framework, is that participating organizations are not required to conduct transfer impact assessments (TIAs) or implement supplementary measures.
However, companies are still required to implement supplementary measures if they rely on Standard Contractual Clauses (UK SCCs) or Binding Corporate Rules (BCRs). Data can be easily transferred between the UK and the US using the UK-US Data Bridge.
Furthermore, as the data protection landscape evolves, customers increasingly expect companies to actively participate in such data transfer frameworks, enhancing trust and compliance.
However, businesses must be minded. Based on history (Schrems I and Schrems II), it is likely that the Data Privacy Framework will be challenged again. In fact, NOYB (Non-of-your-business) has already stated that they plan to do so. It is best to use another transfer mechanism (such as UK SCCs) even if the vendor is certified under this framework, just in case.
The Data Privacy Framework and it’s British extension buddy, the UK-US Data Bridge, are one step toward harmonizing transatlantic data transfers. There are, however, some old challenges and new ones to be faced. Keeping up with the latest developments and ensuring the right mechanisms are in place is important.
Noa is a certified CIPM, CIPP/E, and a Fellow of Information Privacy (FIP) from the IAPP. Her background consists of marketing, project management, operations, and law. She is the co-founder and COO of hoggo, which builds transparency around data privacy practices.