The United Kingdom has announced its decision to establish the UK-U.S. Data Bridge. The UK-U.S. Data Bridge will allow UK businesses and organizations to transfer personal data to organizations in the United States that have certified compliance with the UK Extension to the EU-U.S. Data Privacy Framework.
The announcement was made on September 21 by Michelle Donelan, the UK Secretary of State for Science, Innovation, and Technology.
Accompanying the announcement was a series of supporting documents, including the Data Protection (Adequacy) (United States of America) Regulations 2023, a fact sheet for UK organizations, an assessment of the UK Extension by the Information Commissioner’s Office, and a comprehensive analysis of the UK Extension by the UK Department for Science, Innovation, and Technology.
The UK-U.S. Data Bridge adequacy regulations took effect on October 12. This means that UK businesses can begin transferring personal data to certified U.S. organizations without the need for further safeguards. Those safeguards include those specified in Article 46 (such as binding corporate rules, the International Data Transfer Agreement, or the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses) and Article 49 (derogations for specific situations).
An organization that already participates in the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and intends to extend its participation to cover the UK (and, as applicable, Gibraltar) would need to add the UK Extension either as part of its annual re-certification process or, if doing so outside of the annual re-certification process, add the UK Extension no later than six months from July 17, 2023.
As a reminder, the European Commission adopted its adequacy decision on July 10. Organizations that previously self-certified their commitment to comply with the predecessor EU-U.S. Privacy Shield Framework and wish to continue participation under the new E.U.-U.S. DPF had three months (until last week) to update their privacy policies to refer to the new framework. For more information about the EU-U.S. DPF, please see our previous blog post on the European Commission’s adequacy decision.
The Constangy Cyber Team assists businesses of all sizes and industries with implementing necessary updates to their privacy and compliance programs to address the constantly evolving regulatory landscape. If you would like additional information on how the EU-U.S. DPF and/or the UK Extension affect your business, please contact us at cyber@constangy.com.
The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation.
Subscribe
Contributors
- Suzie Allen
- John Babione
- Matthew Basilotto
- Bert Bender
- Ansley Bryan
- Jason Cherry
- Christopher R. Deubert
- Maria Efaplomatidis
- Rebecca D.C. Eng
- Laura Funk
- Lauren Godfrey
- Taren N. Greenidge
- Seth Greenwald
- Chasity Henry
- Julie Hess
- Sean Hoar
- Donna Maddux
- David McMillan
- Victoria Okraszewski
- Ashley L. Orler
- Todd Rowe
- Melissa J. Sachs
- Allen Sattler
- Brent Sedge
- Ryan Steidl
- Matthew Toldero
- Alyssa Watzman
- Aubrey Weaver
- Robert R. Wennagel
- Rob Yang
Archives
- April 2025
- March 2025
- February 2025
- January 2025
- December 2024
- November 2024
- October 2024
- September 2024
- August 2024
- June 2024
- May 2024
- April 2024
- March 2024
- February 2024
- January 2024
- December 2023
- November 2023
- October 2023
- September 2023
- August 2023
- July 2023
- June 2023
- May 2023
- April 2023
- March 2023
- February 2023
- January 2023