Skip to main content
News

UK – U.S. Data Bridge approved

UK – U.S. Data Bridge approved

News

UK – U.S. Data Bridge approved

September 28th, 2023

Not long after the announcement of the EU–U.S. agreement for a Data Privacy Framework (DPF) (find out more about it here), the UK has followed lead. On the 21st of September, the UK Secretary of State for Science, Innovation, and Technology (DSIT) laid before Parliament the adequacy regulations establishing a data bridge between the UK and the U.S.

These regulations were presented shortly after the designation of the UK as a “qualifying state” by the U.S. Attorney General. As a result of this designation, UK data subjects may enjoy the redress mechanism included in Section 3 of the U.S. Executive Order 14086. This addresses one of the main issues raised by the Schrems II decision, which was the lack of appropriate remedy for data subjects. This new redress mechanism is also one of the main focuses of the analysis of the UK Extension by the UK DSIT, which concludes that the level of protection provided to UK data subjects by the UK Data Privacy Framework will not be undermined in the context of personal data transfers to U.S. certified entities.

What does the approval of the data bridge means?

From the 12th of October, when the data bridge will enter into force, personal data can be transferred from the UK to the U.S., as long as the recipient is a participant of the UK Extension to the EU-U.S. Data Privacy Framework. In this context, it will no longer be necessary to implement Standard Contractual Clauses (SCCs) and perform a Transfer Risk Assessment (TRA), or use any other transfer mechanism established in Articles 44 – 46 of the UK GDPR.

To enjoy the advantages of the data bridge, U.S. companies must be certified and comply with the principles of the DPF, which will be enforced by the Federal Trade Commission (FTC) and the Department of Transportation (DoT). Among others, the DPF incorporates requirements regarding:

  • Right of information and access for data subjects;
  • Right for data subjects to opt-out, or opt-in in case of processing of sensitive information (e.g., health data);
  • Accountability for onward transfers;
  • Appropriate security measures;
  • Enforcement, liability, and redress (including the possibility of arbitration).

Conclusion

The UK Extension offers a new avenue for enhanced collaboration between UK and U.S. companies, simplifying the transmission of personal data to the U.S. However, potential related costs of certifying and complying with the DPF principles and the possibility of enforcement by U.S. authorities must also be taken into consideration by companies interested in adhering to this new framework.

Noelia Fernández Freire

Data Protection Lawyer

Manon Darms

Data Protection Lawyer & PDL

We are supporting our clients in this certification process. If you are interested, feel free to reach out our team for support

Contact us