On June 8, 2023, the UK and the U.S. governments issued a joint statement announcing that they had committed in principle to the establishment of a “UK Extension to the Data Privacy Framework,” which would facilitate flows of personal data between the two countries (the “Data Bridge”).
The establishment of the Data Bridge is contingent on an assessment by the UK government, the adoption of adequacy regulations under the Data Protection Act 2018, and the U.S. designating the UK as a “qualifying state” under Executive Order 14086.
The UK General Data Protection Regulation (UK GDPR) requires companies to ensure personal data is adequately protected when transferred outside the UK. There are various ways to ensure adequate protection, including through the use of the UK International Data Transfer Agreement, or reliance on Binding Corporate Rules. The UK can also adopt adequacy regulations determining that the legal framework of a third country provides an adequate level of protection. Companies can then freely transfer personal data from the UK to that third country based on such “adequacy regulations.” Such regulations would need to be adopted by the UK government in order for the Data Bridge to be given legal effect.
Extension to the EU-U.S. Data Privacy Framework
A press release announcing the commitment in principle states that the Data Bridge will be an extension of the EU-U.S. Data Privacy Framework (DPF). The DPF is designed to serve as a basis for an adequacy decision by the European Commission for transfers to the U.S., with the expectation being that an adequacy decision will be adopted later this year. For further background information on the development of the DPF, please see the latest Wilson Sonsini Alert here.
Although few details are currently available about how the Data Bridge will operate, it is expected that U.S. companies will self-certify to the DPF and, once the process is complete, be permitted to receive UK personal data under the Data Bridge. Switzerland operated a similar arrangement with previous frameworks that were struck down by the Court of Justice of the European Union, including the EU-U.S. Safe Harbor and Privacy Shield. The press release notes that further technical work is required before a decision can be taken as to whether the Data Bridge should be adopted, and that this is likely to take place in the coming months. Organizations carrying out transfers from the UK to the U.S. should therefore keep their data transfer strategies under review in the short term.