On 21 September 2023, the UK Department for Science, Innovation and Technology announced further details on the new transatlantic data flow mechanism for UK-to-US personal data transfers. The new adequacy regulations were laid in Parliament and will take effect on 12 October 2023. From that date on, organisations in the United Kingdom will be able to transfer personal data to US organisations that are certified to the “UK Extension to the EU-US Data Privacy Framework” without the need for additional data protection safeguards.

As previously described by ERM (here and here), the EU-US Data Privacy Framework (“DPF”) is a mechanism that allows personal data to be transferred from the EU to US companies that are certified under the DPF without the need for additional data protection safeguards. Companies that wish to self-certify under the DPF need to commit to the “DPF Principles” and comply with a detailed set of privacy obligations.

How does the Data Bridge Work?

The UK Extension to the DPF, also known as “UK-US Data Bridge”, extends the DPF to data flows from the UK to the US. US organisations that already participate in the Data Privacy Framework can opt in to receive data from the UK. Those that wish to do so can elect to participate in the UK-US Data Bridge either as part of their annual re-certification to the EU-U.S. Data Privacy Framework, or outside of their annual certification to the EU-US Data Privacy Framework provided that they make their election no later than January 16, 2024.

What should Companies do next?

UK companies transferring personal data from the UK to the US should check whether the US businesses they work with participate (or plan to participate) in the UK-US data bridge, check US businesses’ privacy policies and assess whether the particular data transfer in question is covered by the Data Bridge.

Both UK and US companies may need to update their privacy policies, agreements and records of processing in order to reflect that they rely on or are certified under the UK-US data bridge.

Where businesses cannot rely on the new UK-US Data Bridge, they will have to continue using one of the already existing safeguards for data transfers, such as the international data transfer addendum to the European Commission’s standard contractual clauses for data transfers or binding corporate rules.

ERM is ready to support clients in the process of certifying under the Data Privacy Framework and on any other matters relating to privacy and data protection laws. Please reach out to us for more information.


The review was written by Rotem Perelman – Farhi, Partner and Heads of the firm’s Technology, IP & Data Department and Dr. Laura Jelinek, Associate in the the firm’s Technology, IP & Data Department.


* This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.

ERM has advised the Egoz Fund, whose subsidiary, ESHEL Real Estate Ltd., will grant a NIS 18,000,000 loan to members of a purchase group in Mazkeret Batya.

This is an interesting and complex transaction of a purchase group combined with TAMA 38.

The group purchased rights from the owners of the apartments in a building in Mazkeret Batya, and through an external organizer and a management company (Etgar Al) will strengthen the building against earthquakes and will add 17 housing units.

Eran Mizrahi, a partner in the real estate and urban renewal department, led the team with trainee Zvi Zavner.

For more information on such transactions, or our real estate and urban renewal department, please contact Eran Mizrahi or another member of our team.