UK-US Data Bridge – an easier solution to exporting personal data to the USA?
The UK-US Data Bridge came into force on 12 October 2023 with the intention of making it easier for UK organisations to send personal data to the United States in connection with their legitimate business activities.
Connection to EU Data Protection Law
This is an extension of the EU-US Data Privacy Framework (“EUDPF”), which was implemented in the EU this summer to assist EU organisations in similarly making such international transfers of personal information. Under the EUDPF, if a US organisation is registered with EUDPF then personal information can be sent from the EU to that US organisation without needing to put in place any other international data transfer safeguards such as standard contractual clauses (see International Data Transfer Agreements article ) or binding corporate rules.
Under the UK-US Data Bridge, UK organisations can similarly rely on a US organisation’s registration with the EUDPF as an adequate safeguard to transfer personal data to that US organisation (rather than putting in place an International Data Transfer Agreement (“IDTA”) or other safeguard).
One of the key aims of the UK-US Data Bridge is to save on administration for organisations which do business with the United States, such as by avoiding the need to implement additional legal documents between different entities, partners and service providers respectively based in the UK and the USA.
Potential Drawbacks of the Data Bridge
It must be remembered that the UK-US Data Bridge only applies in respect of specific US organisations registered with EUDPF, and cannot be relied upon to transfer personal data to the United States as a whole.
The situation here is not as straightforward as it is with countries such as New Zealand and Switzerland, which benefit from nationwide data protection adequacy decisions that benefit all organisations in those countries without them needing to register to a particular framework or similar scheme in order to receive personal data from the UK.
Under the UK-US Data Bridge, the UK data exporter will first need to check that the proposed US recipient is a registered participant of the EUDPF. Certain specific sectors in the US are not eligible to participate at all in the EUDPF - e.g. those in banking, insurance and telecommunications. Any UK organisation seeking to transfer personal data to a US organisation not registered with the EUDPF will need to find an alternative legally approved safeguard to do so (e.g. an IDTA).
It is also entirely possible to ‘ignore’ the UK-US Data Bridge and rely on an alternative available legally approved safeguard to transfer personal data to a US organisation registered to EUDPF such as an IDTA or binding corporate rules.
A further potential caveat is that this is not the first attempt at creating a personal data transfer scheme between the UK and the USA, and that two previous schemes with similar intent (Safe Harbour and Privacy Shield) have been abolished due to legal concerns connected with access to personal data by US state agencies. Similar concerns have been raised by certain commentators in respect of this latest scheme and it is therefore possible it is not a dependable long term solution if any future legal challenge to the EUDPF and/or the UK-US Data Bridge is successful.
While the UK-US Data Bridge certainly has potential to ease the burden of documenting and regulating international transfers of personal data to the United States, it only has limited application and is also potentially subject to legal challenge. Therefore, those UK organisations that regularly transfer personal data to the USA (e.g. those who use third party processors in the USA) and expect to do so for the foreseeable future, may still consider it prudent to rely on an alternative available safeguard (such as the IDTA) until the fallout of any potential legal challenge to the EUDPF is known.