The UK-US Data Bridge: A Shift in Transatlantic Data Sharing

On 12 October 2023, the UK-US Data Bridge (the “Data Bridge”) came into force, transforming the way both nations handle the flow of information across their borders. In this blog we explore the position before and after the introduction of the Data Bridge, looking at the key implications, benefits and challenges associated with the transatlantic data-sharing initiative.

The pre-Data Bridge landscape: a refresher

Before the establishment of the Data Bridge, the lawful transfer of personal data from an organisation based in the UK to a counterpart in the US was governed by a complex (and ever-changing) web of regulations, most notably the EU-US Privacy Shield (the “Privacy Shield”), the EU General Data Protection Regulation (EU GDPR) and the UK General Data Protection Regulation (UK GDPR).

EU-US Privacy Shield

Between July 2016 and July 2020, the exchange of personal data between the US and EU (and consequently the UK following Brexit) for commercial purposes was partially governed by the Privacy Shield. The purpose of the legal framework was to enable US organisations to easily receive personal data from EU entities under EU privacy laws intended to protect EU citizens. Broadly speaking, UK organisations were able to transfer personal data to US companies certified under the Privacy Shield without the need for any cumbersome additional red tape. However, following concerns about US Government surveillance practices and their impact on the privacy of EU citizens’ personal data, the Privacy Shield was invalidated by the European Court of Justice (ECJ) in 2020, creating uncertainty in the transatlantic data-sharing ecosystem.

Alternative data transfer mechanisms

As a result of the removal of the Privacy Shield, UK organisations wishing to transfer personal data to the US had to rely on alternative data transfer mechanisms, in particular Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) (each discussed in our previous blog). In practice, BCRs were (and remain) applicable only for data transfers between entities within multinational corporate groups and so, following the demise of the Privacy Shield, the majority of UK organisations relied on the use of SCCs to lawfully transfer personal data across the Atlantic. However, in order to address the concerns raised by the ECJ regarding US surveillance practices (which fostered the demise of the Privacy Shield), the SCCs were only deemed a lawful means of transferring personal data to US organisations if the data exporter also carried out a potentially complex and challenging transfer impact assessment to consider whether, in the circumstances of the transfer and with the SCCs in place, the protections for UK data subjects under the UK data protection regime would be undermined by the laws of the US.

The UK GDPR superseded the EU GDPR in the UK in January 2021 and, in March 2022, International Data Transfer Agreements (IDTAs) superseded the EU SCCs in this jurisdiction. IDTAs work in the same way as SCCs, being a means of contractually binding the data recipient to processing data in accordance with UK GDPR standards and, like the SCCs, the use of an IDTA needs to be accompanied by a transfer risk assessment to ensure that the transfer adequately protects the rights of UK data subjects.

The demise of the Privacy Shield therefore effectively increased the administrative hurdles that UK organisations needed to jump in order to lawfully transfer personal data to the US. Given the strong trading ties between the US and the UK, organisations on both sides of the Atlantic have been clamouring for a reduction in the red tape surrounding transatlantic data transfers.

EU-US Data Privacy Framework

On 25 March 2022, the US and EU announced a new data protection framework – the EU-US Data Privacy Framework (‘DPF’). The agreement provided a mechanism for personal data to transfer safely from the EU to US organisations participating in the DPF, without the need for additional data protection safeguards, and whilst ensuring compliance with EU data protection requirements.

In order to self-certify, eligible US organisations must agree to comply with the DPF principles which provide data protections for personal data transferred from the EU. A certified organisation must make a public commitment to comply with the principles via a published privacy policy. The DPF principles impose commitments on certified US organisations in relation to data protection and set out requirements on how an organisation collects, processes and discloses personal data.

The DPF came into force on 10 July 2023 following the European Commission’s decision that the US ensures an adequate level of protection (comparable to that of the EU) for personal data transferred to the US under the new framework. Whilst the DPF only applies to data transfers between the EU and US, it’s paved the way for a similar framework to be put in place to facilitate easier transfers of personal data between the UK and the US.

The UK-US Data Bridge: a new framework

The Data Bridge presents a new opportunity for transatlantic data sharing. The agreement aims to streamline and simplify data transfers, fostering more efficient and secure exchanges of information between the UK and US.

The Data Bridge is the UK extension to the DPF, allowing personal data to be transferred from the UK to organisations in the US which are participating in the DPF, without the need to put in place any further safeguards (such as an IDTA). Any transfer under the UK extension must be to an organisation in the US that is DPF-certified and has opted in to the UK extension.

Under the Data Bridge, any transfer of personal data from the UK to the US which is ordinarily covered by the UK GDPR will be subject to the principles of the DPF. Certain categories of personal data that are treated as ‘special category’ data under the UK GDPR are not considered ‘sensitive’ information under the DPF unless they have been identified as sensitive by the transferring organisation. The categories of data that must be expressly flagged as sensitive are:

• biometric data for the purpose of uniquely identifying a natural person;
• data concerning sexual orientation;
• genetic data; and
• criminal offence data.

There are also some rights under the UK GDPR which are not protected under the DPF, namely:

• the right to be forgotten under the UK GDPR;
• the rights under the UK GDPR relating to decisions based solely on automated processing; and
• the unconditional right to withdraw consent to data processing.

UK businesses seeking to take advantage of the Data Bridge should therefore ensure that all pre-transfer requirements and considerations are met and made before relying on the Data Bridge as a valid transfer mechanism.

Benefits and challenges

The introduction of the Data Bridge is marked by several key benefits:

1. Legal clarity: The Data Bridge provides a clear legal framework for data transfers, reducing uncertainty for businesses and individuals on both sides of the Atlantic. This framework aligns with international standards for data protection and privacy.
2. Enhanced security: The agreement prioritises data security, ensuring that personal data remains safe during transit and storage. This commitment to security is vital in an era where data breaches and cyber threats are ever-present.
3. Reduced compliance costs: Administrative obligations under the Data Bridge are much reduced compared to those under alternative compliance measures, such as the IDTA. The Data Bridge therefore represents a more cost-effective means for businesses to operate on both sides of the Atlantic. This, in turn, encourages economic growth and innovation.
4. Swift dispute resolution: The Data Bridge includes mechanisms for swift resolution of data-related disputes, reducing the need for lengthy legal battles and associated costs.

While the introduction of the Data Bridge brings a multitude of benefits, it’s not without its challenges and concerns:

1. Data privacy: Critics worry that the agreement may not go far enough in safeguarding data privacy. It is crucial for governments and businesses to strike the right balance between data sharing and individual privacy rights.
2. Security risks: As data sharing becomes more streamlined, there is always the risk of increased exposure to security threats. It is essential for organisations to maintain robust cybersecurity measures.
3. Regulatory compatibility: The Data Bridge must work in harmony with existing data protection regulations, such as the UK GDPR and the U.S. Privacy Act, to ensure a seamless and compliant data-sharing environment.

Conclusion

The introduction of the Data Bridge marks a significant shift in transatlantic data sharing. It promises to simplify the transfer of information from the UK to the US, streamlining business operations, reducing compliance costs, and enhancing data security. However, as with any major change, there are challenges to navigate. Striking the right balance between data sharing, privacy protection, and cybersecurity remains a critical task for both governments and businesses.

If your business requires advice on its compliance with the Data Bridge, please contact our data protection lawyers.