Privacy Shield 3.0: The UK-US Data Bridge has been announced

On 21 September 2023, the UK Government officially confirmed that it will extend the transatlantic data transfer deal between the European Union (“EU”) and the United States of America (“US”), creating the UK-US ‘data bridge’. The necessary adequacy regulations will come into effect next month. This means UK businesses and organisations will be able to lawfully transfer personal data to certified organisations in the US under Article 45 of the UK GDPR, without the need for further safeguards set out in Article 46 and 49 of the UK GDPR. However, it remains to be seen whether this framework will be an accessible and lasting solution for data transfers between the UK and US. 

Adequacy regulations

Under Section 17A of the Data Protection Act 2018, The Secretary of State for Science, Innovation, and Technology, the Rt Hon Michelle Donelan, took the decision to establish the UK-US data bridge through the UK extension to the EU-US Data Privacy Framework. 

Donelan determined that the UK Extension to the UK-US Data Privacy Framework does not undermine the level of data protection for UK data subjects when their data is transferred to the US subject to that framework, as the framework maintains the high standards of privacy for UK personal data.  

US Decision

On 18 September 2023, the US Attorney General, Merrick Garland, designated the UK as a “qualifying state” under Executive Order 14086 (“Enhancing Safeguards for United States Intelligence Activities”). This means that individuals whose personal data has been transferred from the UK to the US under any transfer mechanism, such as those outlined in the UK GDPR have access to the newly established redress mechanism in the event they believe that their personal data has been accessed unlawfully by US authorities for national security purposes. This is a new and important safeguard that the US introduced to address the concerns raised in the 2020 Schrems II judgment. 

What does this mean for UK business?

The UK-US Data Bridge aims to ensure a high level of protection for individuals when their data is transferred from the UK to the US. The UK Government took steps to ensure the level of protection that individuals enjoy under the UK GDPR is not undermined (which, as discussed above, the UK Government states included assessing the level of protection of personal data under the framework, as well as the wider legal and regulatory systems). The UK-US Data Bridge is intended to ensure that high standards of protection for personal data are maintained when data is sent to certified US organisations, and any organisation in the US that elects to receive such data under this framework will be required to maintain such standards. That said, the UK-US Data Bridge will not remove the obligations of UK organisations under UK data protection laws to ensure that personal data is properly protected, and the rights of data subjects upheld. 

Importantly, there are requirements for both UK and US organisations wishing to use the UK-US Data Bridge including UK organisations confirming that the US recipient is certified with the framework. Also, UK organisations should be mindful of the need to update Privacy Policies and document their own processing activities as necessary to reflect any changes in how they transfer personal data to the US.

Many organisations currently use, and may continue to use, alternative transfer mechanisms to transfer personal data from the UK to the US. However, such organisations are required to comply with various regulatory provisions, for example, the completion of a transfer risk assessment, to consider whether, in the circumstances, the relevant protections for UK data subjects would be undermined by the laws and practices of the US. Such compliance has often been complex and costly — the new regime may save time and money, while reducing risk.  

Will the UK-US Data Bridge survive scrutiny?

Following its implementation, transfers of personal data to the US under the framework will be lawful without additional safeguards which are currently required. However, previous US transfer arrangements have been successfully challenged.

The Information Commissioner’s Office (“ICO”) has highlighted specific areas that could pose risks to data subjects in the UK. For example, the ICO highlights concerns with regard to certain terminology used and also recommends monitoring the implementation of the UK-US Data Bridge generally, to ensure it operates as intended.

It is noteworthy that the EU-US Data Privacy Framework is currently facing legal challenge. If the EU-US Data Privacy Framework collapses, the viability of the UK extension may be questionable, and it may create potential difficulties for the UK maintaining its adequacy status for transfers of personal data from the EU.

If your organisation transfers personal data to the US, begin your preparations now — the clock is ticking towards 12 October.