The UK-US data bridge is now in effect. As a result, organizations in the UK can transfer personal data to US organizations that have self-certified to the EU-US Data Privacy Framework (DPF) without needing to implement additional safeguards.
What is the data bridge, and what does it seek to address?
Chapter V of the UK's implementation of Regulation (EU) 2016/679 (the UK GDPR) imposes a general prohibition on cross-border transfers of personal data to recipients located outside the UK, unless appropriate transfer mechanisms are implemented, or a derogation applies.
There are several mechanisms available to UK organizations to overcome these restrictions, including where the Information Commissioner's Office (ICO) has determined that a jurisdiction provides an ‘adequate' level of protection for personal data transferred from the UK to that jurisdiction.
Where the ICO has decided that a jurisdiction provides adequate protections, personal data can flow freely to that jurisdiction without the transferor needing to implement additional safeguards (or seek to rely on derogations) under the UK GDPR.
The US has twice previously been deemed adequate under the pre-Brexit (EU) GDPR regime. However, the Court of Justice of the EU (CJEU) has issued rulings that effectively invalidated those adequacy decisions on two occasions. A central concern has been the degree of protection afforded to personal data in the US, which can be accessed by public agencies for law enforcement and national security purposes.
Subsequently, the EU and the US negotiated the DPF. The DPF allows personal data to be transferred from the European Economic Area (EEA) to US organizations that have self-certified to the DPF, by providing additional safeguards and redress mechanisms to affected individuals (particularly where US intelligence agencies may access their data). The European Commission declared the DPF to be adequate for (EU) GDPR purposes.
The data bridge functions as an extension of the DPF, allowing personal data to be lawfully transferred from the UK to self-certifying entities in the US. It provides affected individuals with similar safeguards and redress mechanisms to those set out in the DPF, thereby (in principle) ensuring that their personal data are still subject to an ‘adequate' level of protection once transferred to the US. Switzerland has also recently implemented a similar approach.
For UK organizations, the data bridge has two core benefits. First, it removes the need to implement additional safeguards, which can be complex, costly, and time-consuming. Second, it harmonizes transatlantic data transfer regimes by enabling entities in the UK and the EEA (and, once adequacy is formalized, Switzerland) to all use effectively the same mechanism for sending personal data to the US.
However, it's worth noting there are some important considerations for those seeking to use the data bridge.
UK organizations cannot simply transfer personal data to any US recipient
For personal data to flow freely under the data bridge, the US recipient must be self-certified under both the DPF and the data bridge.
However, not all US organizations are permitted to self-certify to the DPF. Only US organizations that are subject to the jurisdiction of the Federal Trade Commission or the Department of Transportation are currently eligible to participate.
This generally excludes insurance, banking, and telecommunications organizations. The US recipient must also specifically elect to participate in the data bridge.
Certain categories of personal data are subject to additional requirements
UK organizations should carefully review the types of personal data to be transferred to the US and consider whether these are covered by applicable restrictions under the data bridge.
For example, journalistic data (including any personal information that is gathered for publication, broadcast, or other forms of public communication) cannot be transferred under the data bridge.
Additionally, certain special categories of data (such as genetic data or biometric data used to uniquely identify an individual, and criminal offense data) must be specifically identified as "sensitive" data in order to be transferred under the data bridge and such data require additional protections when being transferred.
The data bridge may be challenged in the coming years
The DPF is highly likely to face legal challenges before the CJEU, on the basis that the DPF arguably does not do enough to protect EU citizens whose personal data are transferred to the US. This is perhaps unsurprising, given that the CJEU invalidated previous adequacy decisions on similar grounds.
It seems likely that any such challenges may take years to get through the European courts, and it remains to be seen whether similar challenges will be raised in the UK.
However, the ICO has already issued an opinion highlighting specific areas that could leave the data bridge open to challenge.
As such, UK organizations should keep abreast of developments in this area and consider whether to rely on the data bridge, or continue to use other data transfer mechanisms (e.g., Standard Contractual Clauses or the UK International Data Transfer Agreement) when transferring personal data to the US, to avoid the risk that the data bridge is later invalidated by the courts.
