Skip to content

What is the UK-US Data Bridge?

Table of Contents

Your business must comply with international data transfer laws if it sends personal data outside the UK. The UK made an important adequacy decision in October 2023, which allows UK organisations to transfer personal data to US organisations that have signed up to a certification scheme known as the UK-US Data Bridge. This article will explore the UK-US Data Bridge and the key issues UK organisations should understand. 

Rules on Transferring Personal Data Outside of the UK

UK organisations must comply with strict international data transfer law rules when transferring personal data to countries outside the UK. The UK General Data Protection Regulation (UK GDPR) sets out rules to ensure that personal data is adequately protected when transferred outside the UK.  

Generally, transferring personal data outside the UK is prohibited unless your organisation can rely on a valid exemption. This is because some countries have inadequate privacy protection laws. Consequently, transferring personal data to those countries could put individuals’ data at risk. 

Various exceptions allow organisations to transfer personal data to countries outside the UK. The most common exceptions include transferring personal data to a country outside the UK deemed to have an ‘adequate’ level of data protection. These are commonly known as ‘adequacy decisions’. 

Alternatively, businesses may transfer personal data to a country outside of the UK if appropriate safeguards have been put in place to protect the transfer of personal data. ‘Appropriate safeguards’ most commonly include data protection contractual documents approved by regulators, known as ‘Standard Contractual Clauses’ or the UK’s ‘International Data Transfer Agreement’.

Currently, the following countries have been deemed ‘adequate’ by the UK:

  • Andorra;
  • Argentina;
  • Canada (commercial organisations only);
  • Faroe Islands;
  • Guernsey;
  • Isle of Man;
  • Israel;
  • Japan (private-sector organisations only);
  • Jersey;
  • New Zealand;
  • Switzerland;
  • Uruguay; and 
  • the EU member state and European Economic Area members. 

What is the UK-US Data Bridge?

The EU-US Data Privacy Framework 

Previously, transferring personal data to the US was problematic under European and UK data protection law regimes. Various risks arose from transferring personal data to the US, including US law enforcement authorities having access to personal data. There have been attempts to create safe data transfer mechanisms to send personal data to the US safely. However, these mechanisms have been challenged and invalidated. 

The European Commission, however, approved an adequacy decision for a new ‘EU-US Data Privacy Framework’ (DPF) on 10 July 2023. The DPF is an opt-in certification scheme for US organisations to facilitate flows of personal data from the EU to the US. 

The DPF includes several principles and requirements that certifying US organisations must comply with. For example, the DPF includes:

  • commitments to data protection; and
  • rules concerning how US organisations should use, collect and disclose personal data.

European organisations can transfer personal data from the EU to US organisations self-certifying to the DPF without implementing additional data protection safeguards (such as Standard Contractual Clauses).

The UK-US Data Bridge

As the UK is no longer a part of the European Union, the DPF is not a valid international data transfer mechanism for UK organisations. 

To benefit from the arrangement, the UK government approved a new ‘UK-US Data Bridge’ arrangement, commencing 12 October 2023. 

UK organisations transfer personal data to US organisations, certified by the ‘UK Extension to the EU-US Data Privacy Framework’. This means you can only send personal data to US organisations that are self-certified to both the DPF and the UK-US Data Bridge. 

This is welcome news for UK organisations, as (if they meet the criteria) organisations may send personal data to the US without implementing additional safeguards such as the UK International Data Transfer Agreement or considering another lawful derogation allowing the transfer of personal data to the US. Putting in place such documents and carrying out complex and lengthy transfer risk assessments is often expensive and time-consuming for organisations. The UK-US Data Bridge will likely reduce time, costs and risk for businesses seeking to transfer personal data to the US. 

It is important to note that the UK-US Data Bridge will only be appropriate for some data transfers to the US.

Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

What Should Businesses Seeking to Rely on the UK-US Data Bridge Do?

If you seek to rely on the UK-US Data Bridge, carefully check that you meet all requirements before sending personal data to the US. You must ensure that the: 

  • US organisations are correctly certified to both the DPF and UK Extension to the DPF; and 
  • UK-US Data Bridge covers your transfers of personal data. 

Be aware that the UK-US Data Bridge will not cover certain transfers of personal data.

Update your UK GDPR compliance documentation if you seek to rely on the UK-US Data Bridge. For example, update your Privacy Policy and Record of Processing Activities to cover relying on this data transfer mechanism. 

Remember, there is still a requirement to conduct appropriate due diligence on any third parties you wish to transfer personal data to. You will also need appropriate data processing or data sharing agreements with those third parties, including US organisations. 

Front page of publication
Privacy Notice

This Website Privacy Notice states how a business will deal with the personal information of its users.

Download Now

Key Takeaways

The UK-US Data Bridge is welcome news for UK organisations, allowing a more straightforward mechanism for transferring personal data to the US. However, there are various actions that your organisation must take if you seek to rely upon the UK-US Data Bridge for your transatlantic data transfers. Businesses hope that the UK-US Data Bridge will make transfers of personal data to the US easier. However, this international data transfer mechanism has already faced challenges and scrutiny. As such, you should watch this space and monitor developments. 

If you require advice on the UK-US Data Bridge and how it impacts your data flows, our experienced data, privacy and IT lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 0808 196 8584 or visit our membership page.  

Register for our free webinars

Spam, Cookies and Content: Legal Considerations When Leveraging Digital Marketing

Online
Understand your business’ marketing legal obligations in the digital age. Register for our free webinar today.
Register
See more webinars >

We’re an award-winning law firm

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards

  • Award

    2021 Fastest Growing Law Firm in APAC - Financial Times