On 8 June 2023, the UK Secretary of State for Science, Innovation, and Technology, and US Commerce Secretary jointly announced the intention to establish a UK-US data bridge.
The proposed data bridge between the UK and the US would build upon the EU-US Data Privacy Framework (DPF) as the UK Extension allowing free transfers of personal data from the UK to organisations in the US certified under the EU-US DPF. It is contingent on the UK’s assessment of US data protection laws and practices, as well as the US designation of the UK as a qualifying state.
Safeguarding Data: Transfer Mechanisms in the UK-US Context
Currently, businesses wanting to transfer personal data from the UK need to navigate between layers of legal and regulatory requirements. Following Brexit, the UK introduced the GDPR as domestic law (UK GDPR) but added its own data transfer mechanisms. Transfers of personal data from the UK to a third country need to comply with safeguards set out in Article 46 of the UK GDPR. This can be achieved, among other options, by incorporating the International Data Transfer Agreement (a UK version of the Standard Contractual Clauses) into commercial agreements or as a standalone agreement. If organisations are already signing the EU Standard Contractual Clauses (SCCs) and the UK is one of the territories the personal data is transferred from, a UK Addendum to the EU SCCs can be used for efficiency.
Additionally, Binding Corporate Rules (BCRs) are another mechanism for multinational organizations to transfer personal data within their corporate group globally. Post-Brexit, BCRs need to be approved by the Information Commissioner’s Office (ICO) to facilitate data transfers between from the UK entities, unless the ICO acted as a lead authority for BCRs approved pre-Brexit.
Organisations also need to complete a Transfer Risk Assessment (TRA) for transfers from the UK or EU, which is required to evaluate local laws of the third country in connection to government access to personal data.
The proposed UK-US data bridge aims to simplify data transfers from the UK for those US organisations that will sign up to the EU-US DPF.
Whilst the large volume of transatlantic data flows signifies an urgency for a UK-US data bridge, it is still at a very early stage and clarity is needed regarding the scope, criteria and requirements for participating organisations.
The EU-US DPF remains under scrutiny by the European Parliament. The UK-US data bridge is dependent on the development of negotiations on the EU-US DPF, expected to be finalized in summer 2023. Both the UK and US aim to finalize the agreement in 2023.