The UK-US Data Bridge was brought into effect in October 2023, with the aim of simplifying data transfers across the Atlantic. It allows UK organizations to send personal data to US organizations that have signed up, without the need for additional compliance mechanisms that would otherwise be required.
The Data Bridge and its Intended Purpose
The Data Bridge seeks to make it much simpler for UK organizations to send personal data to some organizations based in the US. Such transfers require a transfer mechanism or a derogation under Chapter V of the UK’s implementation of Regulation (EU) 2016/679 (the UK GDPR). Without such a mechanism or derogation, the transfer of personal data to recipients located outside the UK is prohibited. UK organizations can implement several different mechanisms or derogations to overcome this restriction, including the use of certain pre-approved contracts or obtaining the prior consent of affected individuals.
Where the UK’s Information Commissioner’s Office (ICO) has determined that a jurisdiction provides an ‘adequate’ level of protection for personal data transferred, personal data can flow freely from the UK to that jurisdiction without the transferor needing to implement additional safeguards.
While the US had twice previously been deemed adequate under the pre-Brexit EU GDPR regime, the Court of Justice of the EU (CJEU) has twice issued rulings that effectively invalidated those adequacy decisions, most recently in Schrems II. One major concern for the CJEU has been the level of protection applied to personal data transferred to the US, as government agencies can often access such data for law enforcement and national security purposes.
Following Schrems II, the EU and the US entered into discussions regarding the US’s Data Privacy Framework (DPF). The European Commission issued an adequacy decision under the EU GDPR in respect of the DPF. This allows personal data to lawfully be transferred from the European Economic Area (EEA) to US organizations that have self-certified to the DPF. The adequacy decision was issued on the basis that the DPF provides additional safeguards and redress mechanisms to affected individuals (particularly where their data may be accessed by US intelligence agencies).
The Data Bridge acts as an extension of the DPF, meaning personal data can lawfully be transferred from the UK to US organizations that have self-certified to the DPF, providing affected individuals with similar safeguards and redress mechanisms to those set out in the DPF.
As a result, two key hurdles have been removed for UK organizations seeking to transfer personal data to US recipients that have self-certified to the DPF. First, UK organizations no longer need to implement additional safeguards in this scenario, which can be complex, costly and time-consuming. Second, data transfer regimes by enabling entities in the UK and the EEA (and, once adequacy is formalized, Switzerland), are now largely harmonized, ensuring UK organizations face fewer complexities when transferring data to US organizations that have self-certified to the DPF.
Practical Considerations
There Are Still Some Restrictions Under the Data Bridge
As mentioned earlier, personal data can only be transferred to a US recipient on the basis of the Data Bridge if the US recipient is self-certified under both the DPF and the Data Bridge (referred to on the Data Bridge website as the “UK Extension”).
However, not every US organization is permitted to self-certify to the DPF. Only those under the jurisdiction of the Federal Trade Commission (FTC) or the Department of Transportation (DoT) are permitted. Insurance, banking and telecommunications organizations are therefore generally excluded.
Some Categories of Personal Data Must be Identified as ‘Sensitive’
UK organisations need to be aware of the types of personal data they are transferring and whether these are covered by the Data Bridge. For example, journalistic data (which is personal data gathered for publication, broadcast or other forms of public communication) cannot be transferred under the Data Bridge.
Furthermore, certain categories of personal data (including genetic data or biometric data used for the purpose of uniquely identifying an individual, data concerning sexual orientation, and criminal offence data) have to be marked as ‘sensitive’ to lawfully be transferred under the Data Bridge. These categories of personal data also require additional protections when transferring any of them to a US recipient.
Organizations Must Update Their Documentation
UK organisations relying on the Data Bridge must update their data protection compliance documentation by listing the Data Bridge as a relevant transfer mechanism in their privacy notices, and in new data transfer agreements with relevant US organizations. They must also update their records of processing activities and disclose which international transfers of personal data are subject to the Data Bridge.
The Future of the Data Bridge is Not Guaranteed
It is very likely that the EU Commission’s adequacy decision in respect of the DPF will be challenged in the CJEU, on the basis that the DPF arguably does not do enough to protect EU citizens whose personal data are transferred to the US. This risk is heightened because the CJEU has invalidated previous adequacy decisions on similar grounds.
Any such challenges may take years to reach the CJEU, and it is unclear whether similar challenges will be raised in the UK. However, the ICO has already issued an Opinion highlighting specific areas that could leave the Data Bridge open to challenge. As such, UK organizations that send personal data to US recipients need to keep developments in this area on their radar and should consider whether to rely on the Data Bridge or continue to use other data transfer mechanisms or derogations when transferring personal data to the US. This is to avoid the risk that the Data Bridge is later invalidated by the courts.
Any views expressed in this publication are strictly those of the author and should not be attributed in any way to White & Case LLP