On 21 September 2023, Michelle Donelan, the UK's Secretary of State for Science, Innovation, and Technology, presented the regulations necessary to establish the UK-US data bridge. This innovative framework aims to foster trade between the UK and the US by facilitating the smooth transfer of personal data between the two nations, with its implementation commencing today - 12 October 2023. This means that UK organisations transferring personal data to the US need to take additional steps to ensure compliance.
Understanding the UK-US data bridge
The UK-US data bridge is an extension of the EU-US Data Privacy Framework (DPF), a legally binding mechanism established in July 2023 to provide certified organisations with a means to transfer personal data from the European Union to the US. With the UK-US data bridge, UK-based organisations can now transfer personal data to US entities certified under the "UK Extension to the EU-US Data Privacy Framework" without requiring additional safeguards, such as international data transfer agreements (similar to the EU's standard contractual clauses or binding corporate rules).
The UK Government asserts that this UK-US data bridge guarantees adequate protection for personal data during transfers, provided that two conditions are met:
- The transfer is made to a US organisation listed as a participant in the UK-US data bridge within the DPF (see list here).
- The transfer adheres to the DPF principles once received by the US organisation.
The designation of the UK as a qualifying state by the US Government grants UK data subjects the ability to seek redress through a newly established mechanism if they believe their personal data was collected or processed unlawfully by the US for national security purposes, mirroring the provisions of the DPF.
Changes to current transfer procedures
From 12 October 2023, UK companies can transmit personal data to certified US organisations without the need for standard transfer mechanisms like the International Transfer Addendum from the ICO.
Utilising the UK-US data bridge
The UK-US data bridge requires US recipients to be certified under the DPF to participate. This framework operates on a voluntary self-certification basis, where eligible US organisations commit to complying with its principles and publicly declare their commitment through a published privacy policy.
The DPF principles encompass obligations related to data protection and specify how organisations must handle the collection, processing, and disclosure of personal data. Administration of the DPF falls under the purview of the US Department of Commerce (DoC), which manages certification applications and monitors ongoing compliance. The US Federal Trade Commission (FTC) enforces adherence to the DPF. Notably, only US organisations subject to the jurisdiction of the FTC or the US Department of Transportation (DoT) can participate in the DPF program.
Consequently, entities outside these jurisdictions, such as banks, insurance companies, and telecommunications firms, are presently unable to self-certify under the DPF.
It is important to note that the protections afforded by the DPF do not extend to journalistic data, which includes personal information gathered for journalistic purposes.
What actions should be taken?
For UK organisations engaged in personal data transfers to the US under the UK Extension to the DPF, the following steps are recommended:
- Verify that the data importer (the US recipient) holds an active DPF certification, which can be confirmed by checking the DPF List.
- Ensure the data importer has signed the UK Extension. For HR data transfers, confirm that HR data is covered by the organisation's DPF commitments by reviewing their privacy policy.
- Explicitly identify sensitive data, such as genetic or biometric data, sexual orientation data, or criminal offense data, to ensure proper protection under the DPF.
- Contemplate adopting an alternative safeguard, like the UK Addendum to the EU Standard Contractual Clauses, as an additional layer of protection in case the UK-US data bridge is invalidated.
What about the Transfer Impact Assessment (TIA)?
Organisations transferring personal data to the US based on the UK Extension to the DPF are not required to conduct a TIA. While the specific impact of the UK-US data bridge on other transfer safeguards remains unclear, it may align with the approach taken in the European Commission's Q&A on the EU-US DPF.
Are there concerns surrounding the UK-US data bridge?
The ICO has expressed several concerns regarding the UK-US data bridge, including:
- Limited rights for individuals in automated decisions.
- Insufficient data subject rights.
- Uncertainty surrounding the protections on criminal conviction data.
- The risk of sensitive data not receiving adequate protection.
Additionally, the UK-US data bridge may be susceptible to legal challenges within the UK's legal system, akin to those faced by the DPF in the UK. Therefore, UK organisations are advised to maintain alternative transfer mechanisms as a fall-back.
Related item: Data’s damp squib – the latest iteration of the EU-US data privacy framework