The United Kingdom has announced its decision to establish the UK-U.S. Data Bridge. The UK-U.S. Data Bridge will allow UK businesses and organizations to transfer personal data to organizations in the United States that have certified compliance with the UK Extension to the EU-U.S. Data Privacy Framework.
The announcement was made on September 21 by Michelle Donelan, the UK Secretary of State for Science, Innovation, and Technology.
Accompanying the announcement was a series of supporting documents, including the Data Protection (Adequacy) (United States of America) Regulations 2023, a fact sheet for UK organizations, an assessment of the UK Extension by the Information Commissioner’s Office, and a comprehensive analysis of the UK Extension by the UK Department for Science, Innovation, and Technology.
The UK-U.S. Data Bridge adequacy regulations took effect on October 12. This means that UK businesses can begin transferring personal data to certified U.S. organizations without the need for further safeguards. Those safeguards include those specified in Article 46 (such as binding corporate rules, the International Data Transfer Agreement, or the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses) and Article 49 (derogations for specific situations).
An organization that already participates in the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and intends to extend its participation to cover the UK (and, as applicable, Gibraltar) would need to add the UK Extension either as part of its annual re-certification process or, if doing so outside of the annual re-certification process, add the UK Extension no later than six months from July 17, 2023.
As a reminder, the European Commission adopted its adequacy decision on July 10. Organizations that previously self-certified their commitment to comply with the predecessor EU-U.S. Privacy Shield Framework and wish to continue participation under the new E.U.-U.S. DPF had three months (until last week) to update their privacy policies to refer to the new framework. For more information about the EU-U.S. DPF, please see our previous blog post on the European Commission’s adequacy decision.
The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address the constantly evolving regulatory landscape. If you would like additional information on how the EU-U.S. DPF and/or the UK Extension affect your business, please contact us at cyber@constangy.com.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.