The UK government has approved the UK-US “data bridge”. Our overview highlights several key issues that businesses and organisations involved in the transfer of personal data from the UK to the US need to be aware of.

From 12 October 2023, businesses in the UK can start to transfer personal data to US organisations certified to the “UK Extension to the EU-US Data Privacy Framework”. The new data bridge removes the need for further safeguards such as those set out in Articles 46 and 49 of the UK GDPR.

WHAT IS THE EU-US Data Privacy Framework?

The EU-US Data Privacy Framework (DPF) is a bespoke, opt-in certification scheme for US organisations. The DPF includes a set of enforceable principles and requirements that must be complied with, in order for us based organisations to be able to sign up to it. These principles include commitments to data protection. They also govern how an organisation uses, collects and discloses personal data. Importantly, US organisations that have been certified under the DPF can opt in to receiving data from the UK.

Can special category or sensitive data be shared under the UK-US data bridge?

Special category and sensitive data can be shared with US based organisations under the DPF. However personal data of this type must correctly be identified and categorised by UK organisations when it is being shared. For the avoidance of doubt, this will includes genetic data, biometric data for the purpose of uniquely identifying a natural person and data concerning sexual orientation.

CERTIFICATION

Before sending personal data to the US, UK based businesses and organisations must confirm that the recipient is certified with the DPF (and when transferring HR data specifically, US organisations will also need to have highlighted this on their DPF certification).

WHAT HAPPENS IF THE US ORGANISATION WE WANT TO TRANSFER PERSONAL DATA TO DOES NOT PARTICIPATE IN THE DPF?

If you cannot rely on the new UK-US data bridge then you will have to use one of the pre-existing appropriate safeguards (e.g., the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses). Alternatively, you may be able to rely on one of the available derogations under Article 49 of the UK GDPR for international data transfers.

WE INTEND TO UTILISE THE NEW UK-US DATA BRIDGE SO WHAT SHOULD OUR WE BE DOING NOW?

UK organisations should consider updating their existing privacy policies. UK organisations should also document their own processing activities as necessary to reflect any changes in how they transfer personal data to the US.

Please contact Nathan Combes if you’d like more information about the issues raised in this update and/or or to find out more about data protection related policies, documents, advice and training that we provide.

Disclaimer: the information set out above does not constitute legal advice and it is provided for general information purposes only. No warranty, whether express or implied is given and neither the author or Harrington Law shall be liable for any technical, editorial, typographical or other errors or omissions within the information provided.