UK-US Data Bridge Document Review

Following the news last month that the UK-US Data Bridge had come into force, a number of data protection document templates have been reviewed and received updates for improved compatibility with the Data Bridge and other “partial findings of adequacy”.

Background to the UK-US Data Bridge

The UK-US Data Bridge is an extension of the EU-US Data Privacy Framework. The European Commission adopted an adequacy decision for the Framework back in July. This was followed by the laying before Parliament of the UK’s own adequacy regulations to establish the Data Bridge on 21st September.

The Data Bridge is designed to make it easier for organisations in the UK to transfer personal data to organisations in the US. It effectively removes the need for risk assessments and measures such as Standard Contractual Clauses (the recent International Data Transfer Agreement, for example), because organisations that sign up to the Data Privacy Framework are thereby committing to comply with GDPR-level privacy and data protection obligations and standards.

There are limitations, however, and we look at those in more detail here.

Partial Findings of Adequacy

When transferring personal data outside of the UK, it is important to ensure that it will continue to be protected to UK GDPR standards. In some cases, this is straightforward. When transferring data to an EU or EEA country, no additional safeguards are needed. If personal data is being transferred to a non-EU or EEA country, however, additional safeguards will be required.

In this context, adequacy regulations are particularly important. Adequacy regulations apply to particular countries whose data protection framework has been assessed and found to be adequate when measured against UK GDPR standards. EU adequacy decisions which were current as at 31 December 2020 are also valid in the UK. In addition to these full adequacy regulations, the UK has partial findings of adequacy. These are more limited than adequacy regulations, focusing instead on specific organisations, frameworks or mechanisms, or on personal data covered by specific legislation. The UK-US Data Bridge is a key example of this. Other partial findings of adequacy are detailed on the ICO website (external link).

Other safeguards may take the form of Standard Contractual Clauses (for example, the ICO’s International Data Transfer Agreement); Binding Corporate Rules; legally binding and enforceable instruments between public authorities or bodies; approved codes of conduct; certification under an approved certification scheme; or administrative arrangements between public authorities or bodies.