On September 21, 2023, the UK Government announced the establishment of the “UK-US data bridge” (the Bridge), also known as the UK Extension to the EU-U.S. Data Privacy Framework (the DPF). The announcement promises to simplify compliance issues surrounding the transfer of personal data from the UK to the U.S.
- With effect from October 12, 2023, businesses in the UK will be able to rely on the Bridge to transfer personal data to U.S. organizations that have self-certified to the DPF and opted in to receive personal data from the UK.
- The Bridge is not a standalone program, meaning that organizations can only rely on it if they are already participating in the EU-U.S. portion of the DPF.
- Where a recipient U.S. organization has self-certified its compliance, it will no longer need to put in place an alternative transfer mechanism such as the UK International Data Transfer Agreement, or the UK Addendum to the Standard Contractual Clauses.
- Exporters of personal data from the UK that rely on the Bridge will not be required to carry out a Data Transfer Impact Assessment, which typically requires a substantial investment of resources. Businesses that choose not to rely on the Bridge can still refer to the UK’s adequacy decision, once approved by the UK Parliament, to inform their assessment when undertaking a Data Transfer Impact Assessment.
- Self-certification to the DPF involves publicly committing to comply with the “EU-U.S. Data Privacy Framework Principles” (the Principles) and submitting information to the U.S. Department of Commerce through the DPF website. Preparing for self-certification to the DPF involves taking a number of steps that are necessary under the Principles, which we set out in detail in our client alert.
A Note of Caution Regarding Health and Criminal Offense Data
A factsheet released by the UK Government identifies particular issues with regard to transferring “sensitive information” under the DPF, which organizations collecting health or criminal background related data will need to take into account:
- Identifying certain categories of health data as sensitive. Where UK organizations rely on the DPF to share genetic data, biometric data that uniquely identifies a natural person, or data concerning sexual orientation, they must ensure that they identify this information as being sensitive to the U.S. organizations that receive it. This is because the UK Government considers that the definition of “sensitive data” under the DPF does not mirror exactly the UK General Data Protection Regulation’s (GDPR’s) definition of “special category personal data.”
- Informing individuals about the collection of criminal offense data. Where U.S. organizations wish to receive criminal offense data in connection with human resources-related data flows, they must indicate this in their self-certification.
The Bridge provides a streamlined and efficient way for companies subject to the UK GDPR to transfer personal data to the U.S. Its announcement is good news for organizations with UK operations that are already relying on the DPF for transfers of personal data from the EU. Although the DPF will likely be challenged in court in the EU, it is currently unclear what impact any such challenge would have on the validity of the Bridge.
Wilson Sonsini Goodrich & Rosati routinely helps clients manage risks related to the enforcement of privacy and data protection laws, along with advising clients on general domestic and international privacy and data security issues. For more information, please contact Cédric Burton, Laura De Boel, Yann Padova, Maneesha Mithal, Christopher Kuner, Nikolaos Theodorakis, Tom Evans, or another member of the firm’s privacy and cybersecurity practice.