After 2 years of discussions, the UK and US have committed in principle to establish a new ‘data bridge’.
The data bridge would operate as a UK extension to the EU-US Data Privacy Framework and facilitate the free flow of personal data between organisations in the UK and US that meet certain requirements. Its implementation is contingent on the UK’s assessment of US data protection laws and practices, as well as the US designating the UK as a qualifying state.
The move was announced as part of a broader “Atlantic Declaration” which sets out a “first-of-its-kind” action plan under which the UK and US will cooperate across “pressing economic issues of our time” including data flows and the safe development of emerging technologies.
If adopted, the government claims the data bridge will “make it easier for around 55,000 UK businesses to transfer data freely to certified US organisations without cumbersome red tape” and deliver annual savings to business of around £92.4 million.
How will the data bridge work?
At present, the UK GDPR prohibits the transfer of personal data outside the UK unless:
an adequacy regulation applies to the destination of transfer, under which UK authorities have determined that the importing country has an adequate level of protection over personal data; or
one of the prescribed ‘appropriate safeguards’ is in place (e.g., an international data transfer agreement); or
one of the limited derogations applies.
The data bridge would take effect as a UK adequacy regulation, enabling data to flow freely from the UK to US organisations that have been certified for the scheme.
When undertaking transfers from the UK to US organisations that are not certified under the scheme, however, an appropriate safeguard or relevant derogation will still be required. This also necessitates a data transfer impact assessment to be carried out.
The data bridge proposals are still in their early stages, and the UK and US governments will need to clarify key details of its operation before making any final decision on adoption. For example, the scope of use is unclear – will it follow the EU-US Data Privacy Framework or be wider, or narrower, in application? The certification requirements for US organisations to participate in the scheme also remain to be defined.
In finalising its assessment, the UK government will need to consider not only the protection of personal data but also the rule of law, respect for human rights and fundamental freedoms, and the effective functioning of the ICO, as the relevant regulator.
Meanwhile, the EU-US Data Privacy Framework is expected to come into force in summer 2023, although both the European Parliament and the European Data Protection Board have raised concerns whether the framework complies with EU law. If the EU-U.S. Data Privacy Framework is delayed or recast, it is unclear to what extent this may influence decisions in Westminster and Washington, DC.
The UK government will also need to be alive to the potential impact a UK-US data bridge could have on the EU-UK adequacy decision. When considered alongside proposed UK data protection reform, it is possible that the data bridge proposals may prompt the European Commission to reassess the level of protection the UK affords to data subjects. The UK’s adequacy decision may be subject to review or repeal if the EU deems the UK regime to have deviated too far from the safeguards afforded under EU GDPR.
Transatlantic data flows are a fundamental part of modern business transactions. Businesses, especially those already trading in the US or looking to trade in the US, or using US-based service providers, will eagerly await the final decision. And if the government sticks to making the data bridge a key deliverable for 2023, they won’t have to wait too long for details of the bridge and its certification requirements. Determinative to this timeline will be the progress of negotiations between the UK and US, and the fate of the EU-US Data Privacy Framework.
Until then, UK businesses will need to continue to rely on appropriate safeguards (or derogations, if applicable) to transfer personal data to US organisations.
Do you need legal advice?
Our team at Boyes Turner are specialists in the areas of technology, media, telecoms and commercial law. We work with both UK and international businesses to provide tailored legal advice. Get in touch today with the Commercial & Technology team on [email protected]
Consistent with our policy when giving comment and advice on a non-specific basis, we cannot assume legal responsibility for the accuracy of any particular statement. In the case of specific problems we recommend that professional advice be sought.