Since the adoption of the EU-US Data Privacy Framework in July 2023, businesses have been waiting for the UK and US to formalise a similar arrangement, which will facilitate lawful personal data transfers from the UK to the US. From 12 October 2023, the wait will come to an end as the new UK-US “data bridge” will allow for the lawful cross-border exchange of UK personal data.
Under UK data protection law, personal data can only be transferred internationally if there is an “adequacy decision” in place for the country to which the data is transferred or the data exporter and data importer ensure there are “appropriate safeguards” in place in respect of the transferred data.
Since the Schrems II judgment in 2020, there has been no adequacy decision in place for the US, so businesses transferring personal data to the US have had to rely on an appropriate safeguard, which usually means incorporating the standard contractual clauses or “SCCs” into their contracts and completing burdensome transfer risk assessments.
In July 2023, the European Commission adopted the EU-US Data Privacy Framework (“EU DPF”), which allowed US businesses to be certified under the framework to lawfully receive EU personal data, as set out in our article on the EU-US Data Privacy Framework.
On 21 September 2023, a new UK-US “data bridge” was announced by the UK Government, allowing US businesses to be certified under an extension to the EU DPF so they can lawfully receive UK personal data as well as EU personal data.
US businesses who are subject to the Federal Trade Commission and the Department of Commerce, and who are already certified under the existing EU DPF will be able to opt in to extend their certification to cover UK personal data. By certifying under the EU DPF and UK data bridge, US businesses are agreeing to uphold GDPR principles in respect of the personal data transferred to them from the EU and UK.
Businesses that transfer UK personal data to the US will be able to rely on the UK data bridge from 12 October 2023.
The rules on international transfers of personal data have become increasingly complex in recent years following the Schrems II judgment.
The UK data bridge provides some welcome certainty as businesses know they can lawfully transfer UK personal data to US businesses that are certified under the EU DPF and UK data bridge without the need to include SCCs in their contracts or complete burdensome transfer risk assessments.
It will be particularly useful to businesses with both UK and EU operations as they can now treat all their personal data transfers to the US in the same way.
However, it is important to remember the EU DPF and UK data bridge only apply to transfers of personal data to certified US businesses. If you are transferring personal data to US businesses that are not certified or are transferring personal data to other countries, then you will have to rely on either another adequacy decision or an appropriate safeguard, such as the SCCs supported by an appropriate transfer risk assessment.
Finally, the UK Information Commissioner’s Office (“ICO”) has given its opinion on the UK data bridge. Whilst the ICO is broadly comfortable, it has identified some areas that could create risk for UK data subjects if the protections are not properly applied. In particular, some personal data that is treated as sensitive under the UK GDPR is not classed as sensitive under the EU DPF unless it is expressly identified as such by the data exporter. UK businesses should be alert to this and should be identifying any sensitive personal data to their US data importer. We expect further guidance to be issued by the ICO in this area shortly, and it will be important for businesses to stay up to date with the guidance as it is released.
If you have any questions regarding international transfers of personal data, please get in touch with the commercial team at Marriott Harrison.