The UK-US data bridge came into effect in October 2023, marking a significant step toward harmonizing data protection standards between the United Kingdom and the United States.
The UK-US data bridge was established under the Data Protection Act (DPA) 2018 and acts as an extension to the EU-US Data Privacy Framework (DPF), the long-awaited replacement to the EU-US Privacy Shield. It allows businesses to transfer personal data between the two territories without putting in place further safeguards, such as standard contractual clauses (SCCs), or carrying out a transfer risk assessment.
Transferring personal data across the Atlantic would otherwise be prohibited under the UK General Data Protection Regulation (GDPR).
To be eligible for the UK-US Data Bridge, US companies must participate in the DPF, and both U.K. and U.S. organizations will be required to carry out tasks such as checking their data protection policies and certifying to the Data Privacy Framework List.
UK-US data bridge: Improved protections
The UK government is confident the data bridge will ensure that personal data transferred from the UK to the US will be adequately protected, while legal experts say that various efforts have been made to improve privacy protections compared to the previous transfer regimes which were nullified by the Court of Justice of the European Union (CJEU).
Alex Hazell, head of legal and privacy for EMEA at Acxiom, tells ITPro that European citizens’ US redress has been strengthened and a US law change requiring surveillance to be “proportionate” has been implemented.
Addressing these concerns at the start could help to keep the UK-US data bridge from the fate of the EU-US privacy shield, which was invalidated by the European Court of Justice in 2020 due to serious misgivings with the agreement when it came to US surveillance on EU residents. Robert Wassall, director of legal services at NormCyber says that another welcome change is the new redress mechanism the US has established.
“Under this mechanism, any individual who reasonably believes that they have had their personal data transferred from the UK to the US and that their personal data has been accessed, is able to submit a complaint through the Information Commissioner’s Office (ICO),” says Wassall.
Implement zero trust-based security across your entire ecosystem
Sarah Pearce, a partner at American law firm Hunton Andrews Kurth, tells ITPro that, unlike previous efforts, the data bridge shows a sense of alignment of the UK and EU position in respect of data transfers to the US.
“According to the UK government, the data bridge would remove the ‘burden’ of putting in place ‘costly contract clauses… to ensure protection and privacy standards are maintained,’” she says. “Indeed, the idea is that US companies approved to join the framework would be able to receive UK personal data in the same way that the DPF’s predecessor, the Privacy Shield, operated without the need for those additional lengthy contractual provisions.”
UK-US data bridge: Long-term doubts
While experts agree that improvements have been made compared to previous efforts, concerns about the legislation remain.
The Open Rights Group has argued that the data breach will “betray UK democratic values, and position the UK as a data-laundering heaven pushing for a global privacy race to the bottom”.
“This approach doesn’t only fail to provide a long-term, pragmatic solution to international data transfers, but would further the UK’s reputation as an ‘international rogue actor’ that recent UK Governments have advanced throughout the years,” writes Mariano delli Santi, a data protection expert at ORG.
The ICO has also been quick to highlight specific areas that could pose risks to data subjects in the UK. The watchdog has raised concerns about certain terminology used and also recommends monitoring the implementation of the UK-US data bridge generally, to ensure it operates as intended.
For example, the ICO points out that the UK-US data bridge does not name all the special category data defined in Article 9 of UK GDPR, such as biometric, genetic, criminal offense, or sexual orientation data. While this puts a responsibility on UK organizations to identify these data categories on their own initiative if this data is being sent to a US organization, the text does not contain a mechanism to compel businesses to carry this out and the ICO expressed its concern that some businesses will fail to perform the relevant data protections.
UK-US data bridge: Legal hurdles to come
Some experts have said that legal challenges against the UK-US data bridge are likely, particularly as the DPF is already facing legal scrutiny. A French Member of the European Parliament has already asked the EU’s General Court to have the DPF suspended, arguing that it is the product of a flawed consultation process and fails to appropriately protect the fundamental rights of EU citizens.
“Because there are key differences which may lead to data subjects in the UK having less control over their data than UK GDPR provides, there is scope for the agreement to falter,” Lucy Burrows, associate and specialist data privacy lawyer at Keller Postman UK, tells ITPro. “For example, there is not a comparable right to be forgotten provision set out in the data bridge.
“It seems likely that there will be legal challenges to the data bridge, especially when considering the specific areas that are open for challenge, as highlighted by the Opinion issued by the ICO. Further, the data bridge acts as an extension to the Data Privacy Framework, which is anticipated to encounter legal challenges in the CJEU, and as such may invalidate the data bridge,” she added.
Hazell also believes that legal challenges are likely - noting that privacy activist Max Schrems, who brought the earlier CJEU cases, has already stated his intention to file a new challenge to the Data Privacy Framework by next year.
“The UK-US data bridge will only stand the test of time if the Data Privacy Framework does, and that depends on whether the CJEU determines the transfer mechanism is adequate under the GDPR,” Hazell says. “As CJEU decisions no longer apply in the UK, it is possible that the DPF is nullified in the EU but continues (like the Privacy Shield did) to allow for UK bridges. Legally complex waters are nothing new when it comes to international transfers under the GDPR.”
In July Nader Henein, research VP of privacy and data protection at Gartner told ITPro that the DPF will be overturned within five years and dubbed legal warnings from Max Schrems “Déjà EU”. Henein advises organizations to put plans in place that do not rely on the framework. If it was overturned, the UK-US data bridge would collapse by extension.
With legal challenges expected, it remains to be seen whether the UK-US data bridge will stand the test of time. However, while many believe the mechanism doesn’t solve long-term issues around data governance strategies, security, and privacy controls organizations transferring data between the UK and the US need to act now to ensure they have the right measures in place to comply with the new regulations.
“This new framework requires both parties – importer and exporter – to have adept contract management systems and secure data transfer protocols in place,” Charlie Bromley-Griffiths, corporate counsel at Conga, tells ITPro.
“All systems will need to be aligned with teams reviewing end-to-end processes, to ensure all data is accounted for across the entire contract lifecycle. Most importantly, organizations will need to educate themselves on the guiding principles of the framework and make sure that they fully understand the requirements and their chosen exporter has done the same.”
