The UK Government bridges the gap for UK-US personal data transfers

The UK Government bridges the gap for UK-US personal data transfers

Yesterday, the Department for Science, Innovation and Technology announced that from 12 October 2023, UK organisations can transfer personal data to US organisations certified under the “UK Extension to the EU-US Data Privacy Framework” without the need for additional safeguards – the UK-US Data Bridge. However, the UK-US Data Bridge does not mean there are free-flowing transfers of personal data between the two countries. US organisations must be certified to the EU-US Data Privacy Framework (EU-US DPF) and the UK extension to the DPF for the UK-US Data Bridge to apply.

The EU-US DPF is a bespoke, opt-in certification scheme for US organisations that includes a set of enforceable principles and requirements that must be certified to, and complied with. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. US organisations who have been certified to the EU-US DPF can opt in to receiving data from the UK and once a US organisation has been certified and is publicly placed onto the EU-US DPF List on the DPF website they can receive UK personal data through a UK-US data bridge. This means that US organisations that wish to participate in the UK-US Data Bridge must also participate in the EU-US DPF and comply with its principles.

Previously, standard contractual clauses or binding corporate rules would typically be in place before a UK-based data transfer could be made to the US. Those mechanisms can still be used for US organisations that are not certified on the DPF, but US organisations subject to the jurisdiction of the US Federal Trade Commission or the US Department of Transportation will now be able to self-certify to the EU-US DPF and the UK extension to the DPF to benefit from the new UK-US Data Bridge.

This news will be welcomed by many organisations in the UK and US offering a streamlined process for transferring personal data from the UK to the US. However, it is no doubt the UK-US Data Bridge will be tested given the EU-US DPF has already received a legal challenge by French MP Philippe Latombe to annul the EU-U.S DPF. Latombe raised concerns about the lack of debate on the EU-US DPF in the European Parliament and in member state parliaments, the lack of the EU-US DPF text in any language other than English, the lack of sufficient guarantees for an effective remedy in relation to the protection of personal data and over US mass surveillance. Latombe considers that this action is a quicker route than the challenge planned by Noyb and Max Schrems.

Recent posts

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
Unable to row the distance: No copyright in a rowing machine as a work of artistic craftsmanship (WaterRower v Liking)
Read more
The wait is over – Sky v SkyKick decision handed down today
Read more
Autumn Budget 2024: Headlines
Read more
The Final Word
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
New reforms but a long wait for change: government publishes Employment Rights Bill draft
Read more
The UK's Data Protection Regulator begins its modernisation plans
Read more
A cautionary tale of lessons learnt in cases involving crypto fraud from D'Aloia v Persons Unknown Category A & Ors [2024]
Read more
‘This is a true story’: A lesson learnt from ‘Baby Reindeer’ for shows dramatising the lives of real people
Read more

More from this author

Previous
Next
The UK's data protection regulator publishes a new code of conduct for UK private investigators and litigation services
Read more
The UK's new Data (Use and Access) Bill has been introduced into Parliament
Read more
Facial Recognition Technology: skip the DPIA and face the consequences
Read more
The new UK government announce the Digital Information and Smart Data Bill
Read more
What businesses should consider before implementing monitoring
Read more
'Consent or pay’: the EDPB’s two cents on the right model
Read more
The Government moves to address unlawful immigration exemption under the Data Protection Act 2018
Read more
Byte by Byte: The progress of the UK Data Protection and Digital Information Bill
Read more
The Culture, Media and Sport Committee’s recommendations on monitoring employees
Read more
DATA DEFENCE IN THE METAVERSE: IT'S NOT A GAME
Read more
The Government’s attempts to safeguard the immigration exemption under the Data Protection Act fails in the High Court
Read more
Navigating the grey areas of AI ethics: ICO's updated guidance provides clarity on utilising AI
Read more
EDPB releases lukewarm opinion on the EU-US Data Privacy Framework
Read more
ICO focusses on child protection in latest guidance to the games industry
Read more
Government to replace the UK GDPR
Read more

Share this page