Yesterday, the Department for Science, Innovation and Technology announced that from 12 October 2023, UK organisations can transfer personal data to US organisations certified under the “UK Extension to the EU-US Data Privacy Framework” without the need for additional safeguards – the UK-US Data Bridge. However, the UK-US Data Bridge does not mean there are free-flowing transfers of personal data between the two countries. US organisations must be certified to the EU-US Data Privacy Framework (EU-US DPF) and the UK extension to the DPF for the UK-US Data Bridge to apply.
The EU-US DPF is a bespoke, opt-in certification scheme for US organisations that includes a set of enforceable principles and requirements that must be certified to, and complied with. These principles take the form of commitments to data protection and govern how an organisation uses, collects and discloses personal data. US organisations who have been certified to the EU-US DPF can opt in to receiving data from the UK and once a US organisation has been certified and is publicly placed onto the EU-US DPF List on the DPF website they can receive UK personal data through a UK-US data bridge. This means that US organisations that wish to participate in the UK-US Data Bridge must also participate in the EU-US DPF and comply with its principles.
Previously, standard contractual clauses or binding corporate rules would typically be in place before a UK-based data transfer could be made to the US. Those mechanisms can still be used for US organisations that are not certified on the DPF, but US organisations subject to the jurisdiction of the US Federal Trade Commission or the US Department of Transportation will now be able to self-certify to the EU-US DPF and the UK extension to the DPF to benefit from the new UK-US Data Bridge.
This news will be welcomed by many organisations in the UK and US offering a streamlined process for transferring personal data from the UK to the US. However, it is no doubt the UK-US Data Bridge will be tested given the EU-US DPF has already received a legal challenge by French MP Philippe Latombe to annul the EU-U.S DPF. Latombe raised concerns about the lack of debate on the EU-US DPF in the European Parliament and in member state parliaments, the lack of the EU-US DPF text in any language other than English, the lack of sufficient guarantees for an effective remedy in relation to the protection of personal data and over US mass surveillance. Latombe considers that this action is a quicker route than the challenge planned by Noyb and Max Schrems.