UK-US Data Bridge approved as an extension of the Data Privacy Framework

The UK-US Data Bridge has been approved by the UK government as an extension of the Data Privacy Framework (DPF) and came into force on 12 October 2023. This means that UK and US businesses can now exchange personal data more easily and securely, as long as both parties comply with the DPF's principles and obligations.

The Data Bridge will facilitate cross-border data flows and support trade and cooperation between the two countries. It aims to ensure a high level of protection for individuals' privacy rights and interests. It comes as a result of extensive negotiations and consultations between the UK and the US authorities and reflects the shared values and commitments of both countries to uphold data protection standards.

What are the anticipated advantages of extending the DPF?

The extension to the DPF presents several advantages to both UK and US businesses, such as:

• The ability to exchange personal data without the need to implement additional safeguards such as entering International Data Transfer Agreements or implementing contractual clauses.
• UK companies will no longer be required to complete a Transfer Impact Assessment when relying on the Data Bridge.
• The costs and burdens of complying with different data protection regimes will be reduced.
• The ability to develop an enhanced relationship of trust with customers through signalling a commitment to data privacy and transparency rules.

What potential challenges does the Data Bridge present?

Whilst introducing obvious benefits, the Data Bridge does present certain legal challenges. It has been highlighted by the ICO that the DPF’s definition of ‘sensitive data’ does not match that contained in the UK GDPR, meaning that data falling into this category must be expressly identified as ‘sensitive’ before being transferred to a recipient organisation. Similarly, in order benefit from the Data Bridge, US recipients must be self-certified under both the DPF and the Data Bridge. Currently only organisations that are under the jurisdiction of the Federal Trade Commission or the Department of Transportation are permitted to self-certify, therefore excluding insurance, banking and telecommunications businesses from making use of the Data Bridge.

The ICO has also flagged further divergences between the DPF and GDPR, highlighting that the same level of protection does not apply to decisions based on automated processing, the right to be forgotten under the GDPR or the unconditional right of data subject to withdraw consent.

Our views

Organisations in the UK wishing to rely on the Data Bridge need to ensure that that their compliance documents are sufficiently updated to remain consistent with their transparency requirements. This includes updating their privacy policies and records of processing activities to include the Data Bridge as a transfer mechanism. UK businesses should also carefully review the types of personal data they intend to transfer to the US and ensure that all recipients are self-certified under both the DPF and the Data Bridge.