How does the UK-US Data Bridge work?
After the Schrems II ruling in 2020, it has remained unclear how companies could transfer data compliantly to the US. The EU-US Data Framework, which came into force in July 2023, did not cover the UK, following Brexit and transfers of data, which were subject to UK GDPR, still had to use other methods for legitimising the transfer of data, such as the UK version of standard contract clauses or the International Data Transfer Agreement.
With the UK-US Data Bridge in place, the UK can now benefit from similar arrangements to the EU-US Data Framework. US companies, already participating in the EU-US Data Framework, can opt-in to receive data from the UK through their annual re-certification to the EU-US Data Framework, or by making an election outside their annual certification, provided they do so prior to January 16 2024.
What do UK Companies Need to do now?
As a first step, UK organisations need to review their UK-US data flows and check whether the US businesses they are working with are participating in or intending to participate in the UK-US Data Bridge, checking the privacy policies of those US businesses and determining whether the data to be transferred is actually covered by the UK-US Data Bridge. It should be noted that not all categories of data are covered by the UK-US Data Bridge; for some categories of data, additional safeguards may also be required.
Secondly, both UK and US organisations will need to update their privacy policies, agreements and records of processing in order to show they rely on and are certified under the UK-US Data Bridge.
Where it is not possible to rely on the UK-US Data Bridge, then the existing methods for legitimising transfers will have to continue to be used.
And Finally ….
The coming into force of the UK-US Data Bridge is most certainly good news for organisations on both sides of the Atlantic, providing a more certain and less cumbersome approach for most types of data transfers, avoiding more burdensome transfer mechanisms and safeguards. However, the wise (or sceptical perhaps) would be prudent not to get too complacent that this is the final part of the story on US data transfers. The EU-US Data Framework is already facing legal challenges and even though they could take years to resolve, we think this story may still have a few more chapters to run.
Here at LS Law, we have a team of experienced legal experts and data privacy officers, if you would like to tap into our expertise, or need assistance in updated your data privacy policy, please reach out to us.