UK-US Data Bridge: Transatlantic Data Transfers

5 February 2024 | Written by Rosie Kelly, Information Governance Manager

Rosie Kelly, Information Governance Manager at Veritau has released a blog post focusing on the recently introduced UK-US Data Bridge scheme, which aims to simplify transatlantic personal data transfers. Read the article in full below. 

 

For many organisations in the UK, managing data transfers to the US over the past few years has been a complex and uncertain landscape. The recent introduction of the UK-US Data Bridge may bring some welcome relief – at least for the present!

What is the Data Bridge?

The UK-US Data Bridge, enacted in October 2023, replaces the invalidated Privacy Shield framework. It facilitates data flows between the UK and US by ensuring US companies that participate adhere to robust data protection principles, similar to those enshrined in UK and EU laws.

Key features:

  • Data protection principles: US companies that self-certify to the scheme commit to follow the essential principles for protection of personal data.
  • Oversight and accountability: mechanisms in the US aim to ensure compliance and transparency.
  • National security exceptions: national security needs are balanced with reasonable safeguards to protect against data misuse.
  • Redress mechanisms: individuals have avenues to seek remedies in the US if their data is mishandled.

You may hear the scheme referred to more formally as the EU-US Data Privacy Framework (DPF) and UK Extension.

What does this mean for UK organisations?
  • Simpler transfers: you can lawfully transfer personal data to US businesses that are self-certified to the Data Bridge.
  • No additional safeguards needed: for transfers under the Data Bridge, there is no need to use the International Data Transfer Agreement (IDTA) or the 2021 EU SCCs and UK Addendum.
  • No supplementary measures required: ICO guidance has now confirmed that a Transfer Risk Assessment (TRA) will not need to be completed when the data recipient is signed up to the Data Bridge.
  • Streamlined contracts: US suppliers only need to implement the standard data processing terms from Article 28 of the UK GDPR, which are often already included in contracts.

Over time we would expect to see most popular US-based IT applications and services certify to the scheme, which should ultimately result in reduced admin for UK companies.

 

An image of the United States of America flag - promoting Veritau's latest blog post on the UK-US Data Bridge.

How can you stay compliant?

We recommend seeking advice from your Data Protection Officer (DPO) who can review your supplier contracts and US transfer arrangements. This includes verifying which suppliers are signed up to the Data Bridge scheme. Existing contracts which contain appropriate safeguards will remain valid until they are renewed or updated.

There are specific aspects of the scheme which your DPO will need to navigate carefully. For example, the DPF differentiates between HR and non-HR data, so it is important to ensure the type of data being transferred is covered on the company’s DPF record.

There are also differences between the US term ‘sensitive data’ and the UK definition of ‘special category data’. This means that certain special category data needs to be explicitly identified in the contract prior to the transfer.

Your DPO should be able to guide and assist you. Another option is to enlist an external supplier to review this specific area of compliance on a one-off consultancy basis.

 

An image of the sea promoting Veritau's latest blog post on the UK-US Data Bridge.

Horizon scanning

It is worth noting that the Data Bridge is not without its issues and its success is far from guaranteed. For example, the ICO stated its opinion that there are still outstanding risks to personal data in the US that have not been fully mitigated by the scheme. It also remains to be seen how effective the new oversight and accountability mechanisms in the US will be in practice.

The EU version of the scheme has already been challenged by a French MP, who is seeking an annulment. However, his application for an interim suspension until the annulment action is decided was rejected on the basis that the applicant had not demonstrated sufficient urgency. The court is still considering his case for annulment.

When the EU version of the scheme was announced, Max Schrems suggested on the NOYB website that he may return to court early this year. Bearing in mind the success of both Schrems 1 and Schrems 2, the potential for Schrems 3 certainly appears to put the EU DPF at risk.

Although the UK is no longer bound by EU law, a successful challenge in the EU could also influence the outlook for the UK Extension. This is because if the EU and UK diverge on transfers to the US, this could have serious implications for the UK’s adequacy status which is due for renewal in 2025.

If the EU feels there is a risk of onwards transfers to the US via the UK that are (in their view) non-compliant, they could revoke the UK’s adequacy. This would severely disrupt data flows and business between us and the EU.

Given there are still uncertainties around the scheme, it will be important to stay abreast of the latest news and developments, to ensure your international data transfers remain lawful.

About Veritau

Veritau is a local government owned company providing assurance services to over 600 public sector clients. This includes:

Internal audit
Counter fraud
Information governance (including a DPO service)
Risk management
Whistleblowing support

To discuss your organisation’s data protection needs, please contact us.