The proposed UK-US data bridge will formally open to traffic in just under three weeks, on Thursday 12 October, enabling UK businesses and organisations to transfer data to certified organisations in the US.
The adequacy regulations establishing the long-awaited bridge were laid in Parliament by Michelle Donelan, the minister for science, innovation and technology, on Thursday 21 September, three days after US attorney general Merrick Garland signed off on the UK’s status as a “qualifying state” under Executive Order 14086.
This designation allows all UK individuals whose personal data has been transferred to the US under any transfer mechanism – including Articles 46 and 49 of the UK GDPR – access to the new redress mechanism should they believe US authorities have unlawfully accessed their data.
The Department for Science, Innovation and Technology (DSIT) said the minister had determined that the bridge, which is officially the UK Extension to the EU-US Data Privacy Framework, does not undermine the level of data protection for UK data subjects when their data is transferred to the US, essentially that the framework maintains an acceptably high standard of privacy for data on UK citizens.
Westminster hopes that establishing the data bridge, which is now its “preferred term” for a data adequacy agreement, will speed up processes for businesses, reduce costs and increase opportunities for UK organisations exporting data-enabled services – such organisations exported over £79m of data-enabled services to the US alone in 2021.
Up to now, those that wanted to do this had to have contract clauses in place to guarantee UK data privacy and protection standards are respected. The new data bridge removes this burden.
Speaking in June, Chloe Smith, acting in her capacity as minister for science, innovation and technology while Donelan was on maternity leave, said: “Data bridges not only offer simpler avenues for the safe transfer of personal data between countries, but also remove red tape for businesses of all sizes and allow them to access new markets. International collaboration is key to our science and technology superpower ambitions, and working with global partners like the United States ensures we can open new opportunities to grow our innovation economy.”
It is important to be aware that data bridges in general are not reciprocal, and do not necessarily permit the free flow of data in the other direction, i.e. from the US to the UK. A data bridge merely serves to ensure that levels of data protection for UK citizens under the UK GDPR are maintained abroad. Similar arrangements exist with the EU, although its future is in doubt, and with South Korea. The government would like to have more.
In assessing whether or not to establish a data bridge, the government takes into account several factors, including the protection the other party provides for personal data, the rule of law, respect for human rights and fundamental freedoms, and the existence and effectiveness of regulatory oversight.
“The UK Extension will be welcomed by British businesses, who will soon have an additional mechanism to transfer personal data to the United States and which will in part reduce the papering exercises required to ensure that their transatlantic data flows are conducted lawfully,” said Edward Machin, a senior lawyer in the data, privacy and cyber security practice at Ropes & Gray, a law firm.
However, said Machin, progress from this point on is unlikely to be smooth. “The EU-US framework has already been legally challenged, and it would be surprising if privacy interest groups in the UK don’t mount their own challenge to the UK Extension,” he said.
“We’ll then see whether the English courts can strike a workable balance between upholding privacy rights and securing national security interests – a balance that their European counterparts arguably didn’t manage when ruling on previous transatlantic data frameworks.”
“The UK’s post-Brexit policy-making has revolved around liberalising its data protection regime without straying too far from the GDPR and therefore no longer being considered by the European Union to offer adequate protection for personal data,” said Machin. “A key concern in Brussels has been that the UK wants a watered down transfer deal with the United States – and left to its own devices, the government may have taken the path of least resistance.
“The fact that the UK Extension mirrors the Data Privacy Framework will help to assuage European concerns, but the UK’s data transfer deals with other countries will continue to be subject to scrutiny both at home and abroad.”
Georgina Graham, a privacy and technology partner at law firm Osborne Clarke, said that in general, the bridge would be a welcome addition from the perspective of US businesses that manage personal data globally, and to make accessing the US market for data services more attractive to the British side.
“US businesses must already participate in the EU-US Data Privacy Framework to be able to participate in the UK-US data bridge. Those organisations can elect to participate in the UK-US data bridge either: (i) as part of their annual re-certification to the EU-US Data Privacy Framework, or (b) outside of their annual certification to the EU-US Data Privacy Framework provided that they make their election no later than six months from 17 July 2023. US organisations which have elected to participate in the UK-US data bridge are indicated on the Data Privacy Framework List – as of 21 September, there are already over 550 organisations on that list.
“Both UK and US businesses may need to make changes to their privacy notices, records of processing and contracts – including contracts with customers and suppliers – to reflect their reliance on the UK-US data bridge,” she said.
Graham additionally noted that some businesses in the UK may still prefer to use a “belt-and-braces” approach, relying both on the new bridge and alternative data transfer mechanisms such as the International Data Transfer Agreement/Addendum, which could yet prove highly relevant because should the wider EU-US Framework be shot down, the future of the UK’s extension to it could be in doubt.
UK businesses should also be aware that some types of US organisations are ineligible from participation in the UK-US bridge or the EU Framework, and some data cannot be transferred under it, or must be additionally secured before it can be. This includes some special categories such as journalistic data and information related to criminal offences, for example.