On 21 September 2023, the UK Department for Science, Innovation and Technology announced further details on the new transatlantic data flow mechanism for UK-to-US personal data transfers. The new adequacy regulations were laid in Parliament and will take effect on 12 October 2023. From that date on, organisations in the United Kingdom will be able to transfer personal data to US organisations that are certified to the “UK Extension to the EU-US Data Privacy Framework” without the need for additional data protection safeguards.
As previously described by ERM (here and here), the EU-US Data Privacy Framework (“DPF”) is a mechanism that allows personal data to be transferred from the EU to US companies that are certified under the DPF without the need for additional data protection safeguards. Companies that wish to self-certify under the DPF need to commit to the “DPF Principles” and comply with a detailed set of privacy obligations.
How does the Data Bridge Work?
The UK Extension to the DPF, also known as “UK-US Data Bridge”, extends the DPF to data flows from the UK to the US. US organisations that already participate in the Data Privacy Framework can opt in to receive data from the UK. Those that wish to do so can elect to participate in the UK-US Data Bridge either as part of their annual re-certification to the EU-U.S. Data Privacy Framework, or outside of their annual certification to the EU-US Data Privacy Framework provided that they make their election no later than January 16, 2024.
What should Companies do next?
UK companies transferring personal data from the UK to the US should check whether the US businesses they work with participate (or plan to participate) in the UK-US data bridge, check US businesses’ privacy policies and assess whether the particular data transfer in question is covered by the Data Bridge.
Both UK and US companies may need to update their privacy policies, agreements and records of processing in order to reflect that they rely on or are certified under the UK-US data bridge.
Where businesses cannot rely on the new UK-US Data Bridge, they will have to continue using one of the already existing safeguards for data transfers, such as the international data transfer addendum to the European Commission’s standard contractual clauses for data transfers or binding corporate rules.
ERM is ready to support clients in the process of certifying under the Data Privacy Framework and on any other matters relating to privacy and data protection laws. Please reach out to us for more information.
* This newsletter is provided for informational purposes only, is general in nature, does not constitute a legal opinion or legal advice and should not be relied on as such. If you are seeking legal advice, it is essential to review the specific facts of each case in detail with a qualified lawyer.