Updates to Data Protection regulations: UK-US Data Bridge

Earlier this month, UK Prime Minister Rishi Sunak and US President Joe Biden announced that the UK and US had reached a commitment in principle to establish a ‘data bridge’ between the two countries.

The UK-US data bridge will be a UK extension to the EU-US Data Privacy Framework due to be adopted by the EU Commission this summer.

What is meant by ‘data bridge’?

The proposed data bridge will act as a UK adequacy decision, facilitating the free flow of personal data from the UK to US organisations that certify for the scheme.

Why has it been proposed?

Currently, UK businesses must use expensive and inefficient alternative transfer mechanisms, such as individual contractual clauses, to ensure protection and privacy standards are maintained when transferring personal data to the US.

Introducing a data bridge will reduce the current burdens on UK businesses who wish to transfer data to the US. By making it easier for UK businesses to operate and trade internationally, the data bridge will ultimately speed up business processes, reduce costs, and increase opportunity.

The current legal framework

Under GDPR, transfers to third countries can only take place if there are appropriate safeguards and an international transfer mechanism. The cases bought by Max Schrems to the EU Commission struck down the previous EU-US Safe Harbour and Privacy Shield schemes due to concerns about the US government’s surveillance powers over data that resided in the US. The Privacy Framework is intended to be more robust than its predecessors.

The European Commission has proposed to adopt the EU-US privacy framework by issuing an adequacy decision for it, and the UK government will follow suit and adopt the UK-US data bridge as an extension of the framework.

What does this mean for UK businesses transferring data to the US?

A UK extension to the EU-US Data Privacy Framework will provide certainty on data flow between the UK and the US, with a framework specific to UK-US transfers.

For now, proposals for the data bridge are still in their early stages, and further technical work must be carried out before any final decision to introduce the UK-US data bridge can be made. First, the UK must assess the data protection laws and practices of the US, and the US must designate the UK as a qualifying state.

In the meantime, it is important for businesses to continue to use appropriate safeguards when transferring personal data to the US, such as:

• the new EU standard contractual clauses (SCCs) for EU-to-US transfers
• the new international data transfer agreement (IDTA) for UK-to-US transfers.

The IDTA and SCCs will still be relevant following the adoption of the data bridge if the US recipient is not registered for the framework.

Businesses should also note that any data transfer agreements relying on the old SSCs for transfers from the UK must be updated by 23 March 2024 with the new UK IDTA.

In each case, a data transfer impact assessment (DTIA) should be carried out.

Contact our corporate and commercial solicitors today

If you have any questions on any of the issues raised in this article or any queries in relation to the services our Corporate and Commercial team can offer you, please contact us using our online enquiry form or by calling 0330 191 4835.