On September 21, 2023, the UK Secretary of State for Science, Innovation and Technology laid before Parliament regulations that will operate to significantly simplify the process for UK businesses to transfer personal data to the United States.
Since the UK left the European Union, it's fair to say that transferring personal data outside of the UK has become increasingly complex for businesses with many clients facing the prospect of having to comply with both the requirements of the UK GDPR and the EU GDPR. The UK GDPR allows for the UK Government to designate certain jurisdictions affording adequate protection to personal data.
Where a country was designated as affording adequate protection, this significantly reduces the compliance requirements and removes the need to put in place one of the approved cross border transfer tools (e.g. the UK Addendum to the Standard Contractual Clauses or the EU Standard Contractual Clauses).
To date, there was a gaping hole in the countries that the UK had deemed to provide adequate protection…the United States. For many UK businesses and particularly post-Brexit, doing business with organizations in the United States has taken on increased importance - whether that be through supply of goods/services to customers in the United States, setting up a branch office or overseas subsidiaries, or using suppliers that are located in the United States (e.g. some cloud service providers). These arrangements often involve the transfer of personal data to the United States.
The newly announced data bridge will facilitate and streamline some of those transfers and remove what was previously a time-consuming compliance exercise of putting one of the approved cross-border transfer tools in place.
So what is the data bridge and what does it mean for businesses?
The data bridge will come into effect on October 12, 2023 and effectively extends the EU-US Data Privacy Framework to the UK. This means that UK businesses can transfer personal data to businesses in the US that have made a certification under the EU-US Data Privacy Framework. US businesses will need to opt in to receive UK personal data through that framework. Further detail on the framework and the steps US businesses need to take to achieve certification can be found here.
In practice, this means that UK businesses will simply need to verify that the party receiving the personal data has the relevant certification. This can be checked by visiting the Data Privacy Framework site. As those of you who are familiar with the ups and downs of transfers of personal data to the United States will know, previous mechanisms to facilitate transfers of personal data outside of the EU/UK to the United States have been challenged in the courts and found to be invalid (think Safe Harbor and Privacy Shield). There is a risk that this new data bridge will also be challenged (legal challenges have been reported against the EU-US Data Privacy Framework). It is therefore important that if you contract with an organization that is certified, you build protection into the arrangement which covers the scenario where the EU-US Data Privacy Framework is successfully challenged or the organization fails to maintain its certification.
If the US business you are sharing personal data with is not certified under the EU-US Data Privacy Framework, then you will still need to follow the UK GDPR cross border transfer rules and potentially carry out a transfer risk assessment and put one of the UK's approved transfer tools in place.