UK data bridge to the US opens

Written By Poppy Brewer

From today, 12 October 2023, organisations in the UK will be able to transfer data to US organisations self-certified to the new US Data Privacy Framework (DPF) without the need for further safeguards required under UK GDPR (such as the use of standard data protection clauses in contracts and completion of the onerous Transfer Impact Risk Assessment). This will be good news for firms but how did we get here and what do you need to know?

The transfer of data to the US has historically been permitted under the EU-US Data Privacy Shield Framework. However, as a result of the CJEU Schrems II decision in 2020, this method of transfer was invalidated. Following that decision, work has been ongoing to develop a new framework which addresses the shortcomings identified by the CJEU (including concerns about the access and retention of data by US intelligence agencies). Since Brexit, this has been done separately by the UK and EU.

 The EU got there first, with the European Commission formally adopting an adequacy decision in July 2023 in respect of the new EU-U.S. Data Privacy Framework (DPF). The UK’s own adequacy regulations followed in September 2023 (effective today), creating the UK Extension to the DPF, also referred to as the “UK-US data bridge”.

 Under the DPF, eligible US-based organisations are able to self-certify their compliance pursuant to the DPF and publicly commit to comply with the DPF Principles. Organisations must submit an application and a privacy policy conforming to the EU-U.S. DPF Principles. UK firms are able to transfer data to US organisations self-certified to the DPF without the need for further safeguards.  

The UK Government has published a Factsheet for UK organisations wishing to transfer data using this mechanism which covers, among other things:

  • The types of organisations that can use the DPF

  • How to check which organisations have self-certified to the DPF

  • The categories of data which are excluded from transfer under the DPF (i.e. journalistic data)

  • The treatment of special category data (sensitive data) and criminal offence data under the DPF

These developments will likely require firms who export data to the US to review their data transfer practices and update relevant data protection policies and privacy policies. And while the DPF only covers data transfers to the US, it provides a great opportunity to review your data transfers more broadly across other geographies and check compliance.

If you need help, get in touch.

Poppy Brewer
Previous

Senior Manager Applications: easier to apply but harder to get approved?
Next

FCA publishes Portfolio Letters: have you read yours?