Legal News | 25.10.23
Data Protection: UK-US Data Bridge
If your business uses Google AdWords, a data processor based in the United States, or uses an IT server located in the United States that processes personal data, the safeguard requirements for the transfer of personal data of UK citizens may have just become a little easier.
From the point the UK left the European Union, personal data could only be transferred to the US if certain safeguards were in place. These included binding corporate rules, a legally binding and enforceable instrument between public authorities or bodies, standard data protection clauses specified in regulations by the Secretary of State or with authorisation from the Information Commissioner.
The creation of the UK-US data bridge, which came into effect on 12 October 2023, has extended the EU-US Data Privacy Framework (DPF) to UK citizens, allowing personal data to be transferred between European Economic Area (EEA) organisations and DPF certified US organisations. The DPF is a modification of the prior EU-US Privacy Shield.
The key benefit of the UK-US data bridge is that, where a US organisation is DPF certified, you should not automatically need to consider any further safeguards.
The UK-US data bridge does not contain the same rights as the UK GDPR. For example, it does not include the right of a data subject to be forgotten or the right to withdraw consent, and the definition of “sensitive information” does not contain reference to all the special categories of personal data outlined within the UK GDPR.
Moreover, not all US organisations are eligible to benefit from the UK-US data bridge. Currently only US organisations subject to the jurisdiction of the US Federal Trade Commission and the US Department of Transportation are eligible to benefit from this new legislation.