Legal Update on UK-US Data Bridge: Coming into Force from 12 October 2023

Legal Update on UK-US Data Bridge: Coming into Force from 12 October 2023

posted 11th October 2023

Posted 7 months ago

By Lorna Bolton - GS Verde Group

News

Following the EU's "in principle" decision to adopt the new EU - US Data Privacy Framework ('DPF') back in July this year, the UK Secretary of State for Science, Innovation and Technology has now confirmed the UK's decision to approve the DPF.

From 12 October 2023, UK companies will be able to use the so-called "Data Bridge" to transfer personal data to certain organisations in the US, subject to the DPF requirements, without having to put in place an International Data Transfer Agreement ('IDTA') or use binding corporate rules.

Requirements For US Companies to Receive Data from the UK

To receive personal data from the UK via Data Bridge, US companies must use the DPF online self-certification process to:
• Sign up for both the DPF and the UK extension.
• Confirm participation and compliance to the DPF and UK extension.
• Indicate if they wish to receive HR data under the DPF. Businesses can self-certify here
The certified companies' information, their privacy policy, and their choice of a free independent recourse mechanism will be published on the DPF website.

It is worth noting that some US companies are excluded from the DPF and therefore are currently unable to participate in the Data Bridge. These companies include banking, insurance, and telecom companies that fall outside of the jurisdiction of US Federal Trade Commission and the US Department of Transportation.

However, any US company who does not wish to participate in the DPF and the UK extension - or any US company who falls outside of the DPF - can still opt to use an IDTA or binding corporate rules to govern data transfer.

Categories of Data Not Covered By the DPF

Journalistic data, such as personal information gathered for publication or broadcast, is not covered by the DPF, and therefore cannot be transferred via Data Bridge. US companies will have the obligation to treat any personal data received that has been identified as sensitive by the UK company, (or previously treated as sensitive by the UK company) accordingly.

UK companies should note that genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning sexual orientation, and criminal offence data unrelated to an employee, are not specifically listed as sensitive data under the DPF. Therefore, when transferring data under these categories, it would be advisable to identify it as sensitive to ensure it receives appropriate protection in the US.

Personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual, are considered sensitive under DPF, and therefore will be automatically treated as sensitive by the US company receiving the data.

Redress and Recourse System

UK individuals whose personal data has been transferred to the US will have access to the new two-tier redress mechanism under DPF, which includes an independent Data Protection Review Court. This applies when they believe their personal data has been accessed unlawfully by US authorities for national security purposes.

If a UK individual or a UK company wishes to submit a complaint relating to a US company's compliance with the DPF, they can file the complaint to the UK ICO. Alternatively, they can contact the US company directly, who will be required by the DPF to reply within 45 days.

If the concern is not addressed properly by the US company, they can contact the free independent recourse mechanism which will be identified on the DPF website alongside each self-certified US company's information and their privacy policy.

The Data Bridge will enable UK companies to transfer personal data to some US companies without having to negotiate an IDTA.

However, prior to transferring any data to a US organisation, UK companies should carefully review their published information on the DPF website to make sure they have participated in the DPF and the UK extension. A review of the US company's privacy policy is also necessary to make sure it offers the same level of protection as a UK GDPR compatible privacy policy.

For anyone who is potentially looking to transfer personal data to the US, GS Verde Law is in a unique position to advise on this matter.

GS Verde Law can review and update your privacy notices, review your existing IDTA, review relevant information under the DPF list, advise on transferring different categories of personal data to the US, review the relevant US company's privacy policy, and keep you updated on any legal changes.

Contact one of our legal experts for assistance with matters relating to privacy and data protection here

Legal Update on UK-US Data Bridge: Coming into Force from 12 October 2023

GS Verde Law is part of the GS Verde Group, a multi discipline group supporting businesses from start to finish on corporate transactions such as raising investment, mergers & acquisitions and business sales.

The business focused experts in getting deals done
Law Finance Tax Communications

Find Out More

Testimonials

We would highly recommend anyone who is looking for a merger, acquisition or MBO to use the GS Verde Group.

Ashley Davies, A&R Services

It was an absolute pleasure to have the team as GS Verde Law acting on my behalf. Nothing was ever too much trouble and the whole experience was fantastic due to their conscientious and professional approach at all times. I would recommend them in a heartbeat.

Richard Jones, Paramount Interiors

It was great to have Nigel and the team advising the shareholders on our transaction. The team as GS provided fantastic support and guidance throughout.

Andrew Lord, Chairman, Abergavenny Fine Foods