From 12 October 2023, organisations exporting personal data from the UK will be able to rely on the UK-US Data Bridge to secure a free and safe exchange of personal data. It will act as the lawful basis for personal data transfers to US organisations that have self-certified under the Data Privacy Framework (DPF).
The DPF governs EU-US data transfers and includes a set of enforceable principles and requirements that must be certified to, and complied with, in order for US organisations to be able to join.
The Data Bridge authorises UK organisations to transfer personal data, where the transfer is to an organisation in the US listed on the EU-US DPF and participating in the UK extension to the DPF. The Government hopes data bridges will unlock growth for businesses, allow crucial information for life-saving research to be shared, and encourage science and innovation across borders, as well as benefitting consumers.
What does the data bridge mean for data sharing?
Before sending personal data to the US, an organisation will need to confirm that the data importer is listed as an active participant on the DPF List.
If the US based data importer has not opted-in to the DPF, the UK data exporter will likely need to continue to rely on the pre-existing contractual mechanisms for transferring personal data to the US.
Currently, only US organisations subject to the jurisdiction of the US Federal Trade Commission (FTC) or the US Department of Transportation (DoT) are eligible to be included in the DPF. Banking, insurance and telecommunications organisations cannot currently participate.
What is excluded from transfer under the DPF?
The Data Bridge does not provide for journalistic data to be included, which means that:
‘Personal information that is gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives, is not subject to the requirements of the Principles’.
Special category and sensitive data under the UK-US Data Bridge
Special category and sensitive data from UK organisations can be shared with US organisations under the Data Bridge. However, this must correctly be identified by UK organisations as such, to ensure that it receives the appropriate protection under the DPF.
Organisations should pay particular attention when transferring data relating to:
- Genetic data;
- Biometric data for the purpose of uniquely identifying a natural person; and
- Data concerning sexual orientation.
What does this mean going forward?
UK organisations seeking to rely on the new UK-US Data Bridge need to ensure they check all the requirements are met before relying on it.
Organisations should be mindful of the need to update privacy policies and document their own processing activity as necessary, ensuring that they reflect any changes in how data is transferred from the UK to the US.
For help and advice on this topic or related issues, please do not hesitate to contact Chris Cook on 01727798089 or email firstname.lastname@example.org.