Privacy and Data update: Transatlantic data transfers

Thursday 12th October 2023

Transatlantic Data Transfers: US-UK Data Bridge Opens Today

The US-UK Data Bridge formally opens today (12 October 2023) allowing a free flow of personal data from the UK – US, where the recipient organisation in the US is self-certified with the UK Extension to the EU US Data Privacy Framework (DPF) Program.

How does this affect my organisation?

The Data Bridge means that UK organisations may transfer personal data to US organisations that are self-certified with the DPF, without the need for additional safeguards – such as the UK Addendum to the Standard Contractual Clauses (SCCs) or the International Data Transfer Agreement (IDTA). It also means that Transfer Impact Assessments are no longer required under the scope of these transfers, significantly reducing administrative expenditure for companies wishing to share data with the US.

Does this apply to all US organisations?

No. This only applies to US organisations that are self-certified with the UK Extension to the Data Privacy Framework (DPF). Participants can be found by clicking here. If a US organisation is not self-certified, additional safeguards are still required to ensure that the relevant data is protected to a UK GDPR equivalent standard.

Is there a risk of the DPF being invalidated?

Yes. Given two “adequacy decisions” for the US were invalidated, there is still some scepticism in respect of whether the DPF will stand the test of time and ultimately whether given the level of government surveillance in the USA, privacy rights can be upheld to the same GDPR standard as the UK and EU. A French MEP has already started proceedings in the EU Courts seeking an annulment of the decision and NOYB (the European Center for Digital Rights), the organisation that challenged the first two adequacy decisions, also stated it would challenge the DPF. This is an area for organisations to keep an eye on as any invalidation would trigger the need to implement contractual safeguards and internal risk assessments.

What do we do now?

Any contracts with US organisations incorporating the applicable SCCs or IDTA are still lawful. Organisations should review their privacy policy/privacy notices and update them to accurately reflect any data which is transferred to the US and which organisations/categories of organisations they transfer by the Data Bridge regime. Data processing agreement negotiations with self-certified US organisations are likely to be simpler, at least in the short term.

If you would like to speak to a member of the Data team, find us here.