UK-US data bridge to become operational 12th October

Enables personal data transfers to certified organisations in the US

The UK Secretary of State for Science, Innovation and Technology (DSIT) Michelle Donelan on Thursday introduced regulations in Parliament to implement the new transatlantic data transfer mechanism for personal data moving from the UK to the US.

In June, the UK and the US came to an agreement over this arrangement, dubbed the UK-US Data Bridge, which is basically a "UK extension to the EU-US Data Privacy Framework (DPF)".

This deal would enable organisations to transfer personal data governed by the UK General Data Protection Regulation (UK GDPR) to eligible US entities.

The regulation is scheduled to come into effect on 12th October.

Data transfers across borders are pivotal to modern business operations, and the United States is a prominent trading partner for the UK when it comes to data-driven exports.

In 2021, a substantial 93% of the UK's service exports were reliant on data, and the UK successfully exported over £79 billion-worth of these services to the United States, according to the DSIT.

"Despite this relationship, burdensome red tape is an inescapable part of the current arrangements," DSIT stated in June.

"Most UK businesses who want to send personal data to a service provider or company in the United States must have costly contract clauses in place to ensure protection and privacy standards are maintained. A data bridge would remove that burden, speeding up processes for businesses, reducing costs, and increasing opportunity by making it easier for British businesses to operate and trade internationally," it added.

The UK-US data bridge will empower US companies that have obtained certification under the EU framework to opt-in for receiving UK personal data through the DPF, eliminating the need for additional safeguards like international data transfer agreements.

"The Secretary of State has determined that the UK Extension to the EU-US Data Privacy Framework does not undermine the level of data protection for UK data subjects when their data is transferred to the US. This decision was based on their determination that the framework maintains high standards of privacy for UK personal data," the DSIT said on Thursday.

This week, the US Attorney General officially recognised the UK as a "qualifying state" pursuant to Executive Order 14086.

The UK's classification as a qualifying state will grant UK citizens the opportunity to seek redress if they believe that their personal data has been collected or processed by US signals intelligence in a manner that contravened relevant US laws.

DSIT emphasises that while establishing this data bridge, they have diligently taken measures to preserve the high level of protection that individuals in the UK currently enjoy under the UK GDPR.

This included a thorough evaluation of the safeguarding of personal data under the Data Privacy Framework, along with a comprehensive examination of the broader legal and regulatory framework in place.

"The US data bridge will ensure that high standards of protection for personal data are maintained when the data is sent to certified US organisations. Any US company that elects to receive UK data under the data bridge will be required to maintain those standards," DSIT noted.

The UK has already established a comparable arrangement with several other significant partner nations, including the Republic of Korea.

The decision with the Republic of Korea represented the UK's initial independent data bridge following its departure from the European Union.