Transferring Personal Data to Certified US Organisations

On 12th October 2023, the UK-US Data Bridge came into force. The Data Bridge allows for the free movement of personal data covered by the UK GDPR from the UK to certain certified organisations in the US without the need for additional safeguards such as Standard Contractual Clauses or binding corporate rules.

The UK-US Data Bridge is an extension of the EU-US Data Privacy Framework. The European Commission adopted an adequacy decision for the Framework back in July. This was followed by the laying before Parliament of the UK’s own adequacy regulations to establish the Data Bridge on 21st September.

Despite the terms “adequacy decision” and “adequacy regulations”, it is important to note that this is not the same as an adequacy decision which covers a particular country’s data protection laws as a whole. The Data Bridge is limited in application to self-certified US organisations that sign up to the EU-US Data Privacy Framework, taking additional steps to participate in the UK-US Data Bridge. Furthermore, not all types of organisation can sign up (for example, banking, insurance, and telecoms companies), and there are some limitations on the types of personal data that can be transferred (more detail below).

How Does the Data Bridge Work?

The Data Privacy Framework and, by extension, the Data Bridge effectively does away with the need for risk assessments and measures such as Standard Contractual Clauses because the US organisations signing up are committing to comply with GDPR-level privacy and data protection standards and obligations. This commitment is enforceable under US law by the relevant US enforcement body which, in many cases, will be the Federal Trade Commission or “FTC”. It is also important to remember that the US organisation must first sign up to the Data Privacy Framework before it can sign up to the Data Bridge.

Limitations of the Data Bridge

For many types of personal data, the Data Bridge will make it easier and more convenient to transfer personal data from the UK to the US; however, there are some issues where special category or sensitive personal data is concerned.

The definition of “sensitive information” under the Data Bridge does not completely align with the definition of special category personal data under the UK GDPR. It does not incorporate genetic data, biometric data for the purpose of uniquely identifying a natural person, or data pertaining to sexual orientation. Criminal offence data is also omitted.

There is, however, a provision in the Data Bridge covering data which the party sharing that data has previously treated as sensitive, meaning that “sensitive information” will include that data, but the UK organisation sharing it should take care to identify it as such when sharing it with a US recipient.

From a business perspective, criminal offence data might need to be shared in the HR context. As with other “sensitive information”, the UK business sharing the data must identify it as such when sharing it with the US recipient.

There are other types of data that are not covered by the Data Bridge, including journalistic data.

Practical Steps to Take

As stated above, the Data Bridge only applies if the US organisation to which you wish to send personal data has self-certified. The US Government maintains a list (available here) of all organisations currently signed up. At a glance, it is easy to see whether the organisation in question has signed up to the Data Bridge (the “UK Extension to the EU-US Data Privacy Framework”) or just the Data Privacy Framework.

If your business intends to use the Data Bridge, you must also ensure that your privacy information (e.g., Privacy Policy or Privacy Notice) is up to date and accurately documents how you transfer personal data to the US, including the means used to ensure that it is protected to UK GDPR standards (i.e., the UK-US Data Bridge).

It is also worth noting that transfer mechanisms that were previously suitable for transferring personal data to the US, such as an International Data Transfer Agreement or binding corporate rules, remain valid. As noted below, despite it being new, the future of the Data Bridge is at the very least open to question, and it may be preferable to have backup arrangements in place to protect the data in the form of one of the established mechanisms.

As always, when planning any significant change to your data processing and protection arrangements, professional advice should always be sought. The Information Commissioner also provides detailed guidance on data protection, including international transfers (although at the time of writing, it is yet to update its information to include the Data Bridge).

The Future of the Data Bridge

Anyone who has been transferring personal data from the EU or UK to the US for a while will likely be familiar with the successful challenges made against the forebearers to the Data Protection Framework and Data Bridge. Austrian lawyer and activist, Max Schrems, successfully challenged the EU-US Safe Harbour and its successor, the Privacy Shield, and has already stated his intention to challenge the Data Privacy Framework.

While UK and US officials have reportedly made reassurances that a successful challenge to the EU Data Privacy Framework may not necessarily put a stop to the Data Bridge, the need for the UK to maintain its adequacy status with the EU may inevitably lead to the fall of the Data Bridge in any case should the Data Privacy Framework be invalidated.

For the time being, however, the UK-US Data Bridge will be a welcome simplification for many UK businesses, enabling the transfer of personal data to businesses in the US with considerably less paperwork.