The potential impact of the proposed data bridge on data transfers

The planned data bridge

There are two key aspects to be aware of: 

• In principle, establishing a UK-US adequacy decision has been agreed upon. This is often referred to as the "data bridge." This decision aims to extend the EU-US Data Privacy Framework to include the UK. 
• Now that the EU Commission has approved the DPF, the implementation of the data bridge requires an official decision from the UK Secretary of State and the US designating the UK as a “qualifying region”.

What is the impact of the "data bridge" on your business? 

If the data bridge is approved, it would have several implications for businesses:  

• The US would become an adequate country under UK GDPR: Consequently, businesses would no longer be required to implement transfer safeguards or carry out transfer risk assessments when transferring data to the US.  
• The burden of data transfers would be reduced for many businesses: Many companies – software companies in particular - host or transfer data to the US. The approval of the data bridge would significantly reduce the burden on these companies, as they would no longer need to navigate the complexities associated with transfer safeguards and risk assessments.

What happens next?

After the EU-US Data Protection Framework (DPF) got the thumbs up from the European Commission, the UK is now ready to follow in these footsteps. They're keen to tie up their own agreement as quickly as possible.

To make this happen, the Secretary of State has to present a "statutory instrument" to Parliament. This is a special kind of law that can adjust or activate an existing law without the need for a brand-new Act. For instance, it was a statutory instrument that tweaked the GDPR to create the UK GDPR after Brexit.

In addition, the US has to label the UK as a "qualifying region" under the DPF. This means that a US company can certify to the DPF and be allowed to transfer data under this agreement.

The current hope is that the UK-US "data bridge" will get the green light around October 2023. This is when Parliament is back from its summer break.

However, it's worth noting that the EU-US DPF has stirred up some controversy. The European Data Protection Board (EDPB) and the EU Parliament haven't given it their full support. Max Schrems, a well-known privacy advocate, has said he will challenge the EU Commission's decision to back the DPF. This could mean that any changes from the data bridge might only be short-term - or could face more legal checks.

If the UK sets up a data bridge deal with the US, and the EU's decision with the US is found lacking again by the CJEU, it could cause problems for the UK's decision with the EU. This is because of the risk of onward transfers under EU GDPR.

In any case, firms that are covered by both the EU and UK GDPR will need to keep a closer eye on the data they transfer. They need to make sure they're not breaking the EU GDPR by using a US service provider. Keeping clear and correct records will be key.

Legal background  

• The US is currently regarded as a third country under the UK's GDPR regulations.  
• The Court of Justice of the European Union (CJEU) has invalidated the US adequacy decision twice in the "Schrems" and "Schrems II" cases. As a result, organisations relying on Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTA) are required to assess the risk associated with transferring data to third countries. 

In summary, the planned data bridge between the UK and the US has the potential to streamline data transfers and reduce compliance complexities for businesses. However, it is not in place yet, so organisations need to be aware that now, you still need to have a transfer safeguard in place under UK GDPR.

We will keep you informed of any future developments. If you have any questions, don’t hesitate to reach out to one of our DataGuard experts!