Latham & Watkins and Privacy Laws & Business recently co-hosted a webinar looking back on the first eight months since the UK-US Data Bridge entered into force. Speakers from the UK Information Commissioner’s Office (ICO) and the US Privacy and Civil Liberties Oversight Board joined the panel for a broad discussion on the practical implementation and future outlook of the UK-US Data Bridge.

Below are key takeaways from the discussion and practical tips for UK and US organisations relying on the UK-US Data Bridge to facilitate personal data transfers to the US from the UK (and Gibraltar) while ensuring data is protected consistent with the standard imposed by UK law.

Overview

The mechanisms governing the transfer of personal data among the EU, the UK, and the US have evolved over the past decade, but all are rooted in the principle that EU/UK data may only be transferred to countries that offer an “adequate level of protection.”

The EU-US Safe Harbor Framework was an earlier mechanism that allowed companies to transfer personal data from the EU to the US. The Safe Harbor agreement was invalidated by the Court of Justice of the European Union (CJEU) in a landmark 2015 case known as Schrems I, creating a significant legal vacuum and uncertainty for businesses that relied on the framework for transatlantic data transfers. In response, the EU and the US negotiated the EU-US Privacy Shield Framework to address the deficiencies identified in Schrems I and provide stronger protections for transferred data, which was subsequently invalidated by the CJEU in a 2020 case known as Schrems II. President Biden then signed Executive Order 14086 in 2022, which introduced new safeguards for US intelligence activities addressing the concerns raised by the CJEU.

In July 2023, the European Commission recognised the EU-US Data Privacy Framework (DPF) as providing adequate protection to meet EU requirements for transferring data to third countries, allowing EU-US data transfers to commence under this mechanism. The UK Extension to the EU-US Data Privacy Framework (the UK-US Data Bridge) took effect on 12 October 2023, allowing UK organisations to transfer personal data to US companies that have self-certified their compliance under the DPF.

The UK-US Data Bridge mirrors the principles of the DPF, with specific references and adjustments pertinent to UK law. It is designed to align with the UK’s data protection standards, which are substantially similar to the EU’s General Data Protection Regulation (both the EU and UK laws referred to herein as GDPR), and to satisfy the requirements of both UK and US privacy regulations. Although organisations may opt to self-certify their compliance pursuant to the DPF only, organisations seeking to participate in the UK-US Data Bridge must self-certify to both the DPF and the UK-US Data Bridge.

Practical Tips for US Organisations

Any US organisation that is under the jurisdiction of either the Federal Trade Commission (FTC) or the Department of Transportation (DOT) is eligible to certify to the UK-US Data Bridge. Companies not subject to the jurisdiction of the FTC or DOT include, among others, those in the banking, insurance, and telecommunications industries. For eligible US companies, certification to the DPF and UK-US Data Bridge involves demonstrating compliance with a set of privacy principles that are essential for protecting personal data. These principles include transparency, data security, and accountability for onward transfers (the DPF Principles).

The International Trade Administration (ITA) of the US Department of Commerce oversees the certification process. Organisations that are not yet certified to the DPF must submit an application to the ITA for review. If deemed compliant, the organisation will be listed on the DPF List as a Certified Entity. To maintain certification, companies must annually recertify with the ITA, ensuring continuous adherence to the DPF Principles. Importantly, however, if an organisation has left the DPF for any reason (e.g., via voluntarily withdrawing, allowing its certification to lapse, or being removed by the ITA for failing to comply with the DPF Principles), the organisation must continue to apply the DPF Principles to data transferred pursuant to the DPF for as long as the organisation retains such data.

While an organisation’s decision to enter the DPF and UK-US Data Bridge is voluntary, once the organisation self-certifies, it must publicly declare that it will adhere to the DPF Principles, including through required disclosures in its privacy policy, and must fully comply with the principles. Failure to comply is enforceable by the FTC or DOT as an unfair or deceptive practice.

US organisations seeking to self-certify under the DPF and UK-US Data Bridge should engage in rigorous internal reviews for compliance with the DPF Principles. While the DPF Principles largely align with GDPR requirements, there are key differences. For example, the DPF requires certified organisations to provide opt-in consent before disclosing sensitive data to any third party, including service providers, and requires all processors, not just controllers, to provide notice of processing to individuals.

Organisations should ensure they have contractual protections in place for data transferred to third parties and ensure they are providing clear notices to individuals regarding their data processing practices, especially when handling sensitive data. Additionally, organisations may want to consider using Standard Contractual Clauses (SCCs) as a fallback mechanism to safeguard against the potential invalidation of the DPF given the history of data transfer mechanisms among the EU, the UK, and the US.

Practical Tips for UK Businesses

UK businesses looking to export personal data to the US under the UK-US Data Bridge should bear in mind some key points:

• DPF certification website: Exporters should confirm that the data recipient is listed on the DPF List, that the registration includes the UK-US Data Bridge (referred to as the UK Extension on the site), and that the registration is active. They should further confirm that the scope of the recipient’s certification covers the type of data that the exporter intends to transfer. For example, registrants may choose to cover HR data under one mechanism but not another. As such, exporters should be vigilant in verifying not only a recipient’s certification status, but also what the registration covers.
• Journalistic data exclusion: Exporters should be aware that journalistic data is not subject to the DPF Principles and that the definition of “journalistic data” is fairly broad. Namely, the definition covers any personal information gathered for publication, broadcast, or other forms of public communication of journalistic material, whether used or not, as well as information found in previously published material disseminated from media archives.
• Special category data: Exporters must clearly identify to their recipient certain special category or criminal offence data when making the data transfer. The Choice principle under the DPF does not exactly mirror the definition of special category data in Article 9(1) UK GDPR, as it does not include certain categories of data (i.e., genetic data, biometric data for the purpose of uniquely identifying a natural person, or data concerning sexual orientation). However, the Choice principle does require organisations under the DPF to treat as sensitive any information received that is identified as sensitive by third parties sharing the information. Therefore, exporters should proactively inform the recipient that such data is sensitive to ensure that it receives the appropriate protections under the DPF.
• Article 28 compliance: In respect of a data transfer to a US processor, exporters must: (i) ensure the recipient is certified to the UK-US Data Bridge, and (ii) ensure their own compliance with Article 28 of the UK GDPR via a written contract (which can be standalone or incorporated into a broader agreement). This is particularly relevant for organisations looking to move from the Addendum and SCCs to the UK-US Data Bridge, but are accustomed to relying on the all-in-one solution provided by the Addendum that incorporates those Article 28 requirements.

Challenges and Future Outlook

UK businesses may be uncertain as to the reliability of the UK-US Data Bridge in light of the invalidation of preceding data transfer regimes. However, there is reason for cautious optimism: The ICO recently confirmed that it has not received any complaints regarding the UK-US Data Bridge to date, and no legal challenges have yet been brought in the UK courts. Notably, the risk of legal challenge in the UK diminishes over time on the basis that judicial review claims (which are the main route for legal challenge in the UK) are strictly time-limited and usually brought within three months of the decision being challenged. Nevertheless, any future ruling of the Court of Justice of the European Union (CJEU) to annul the DPF adequacy decision would impact the UK-US Bridge, as it would likely prompt the UK government to review and potentially invalidate the extension in light of the CJEU’s ruling.

Key Takeaways

Below are considerations for UK and US companies already or considering relying on the UK-US Data Bridge for personal data transfers:

• Withdrawing or discontinuing certification: Where certification is withdrawn, lapsed, or removed, US companies must still abide by the DPF Principles with respect to data received under the UK-US Data Bridge. Moreover, US companies must provide annual recertification of continued compliance with respect to such data. US companies are encouraged to incorporate the DPF Principles into their broader privacy program and evaluate any new business through that lens going forward.
• Updating compliance documentation: UK companies relying on the UK-US Data Bridge to transfer data to the US should implement corresponding updates to their data protection compliance documentation, such as: (i) listing the UK-US Data Bridge as a relevant transfer mechanism in their privacy notices; (ii) updating their records of processing to reflect which transfers are subject to the UK-US Data Bridge; and (iii) listing the UK-US Data Bridge as the relevant transfer mechanism in any new data transfer agreements entered into with relevant US companies.
• Uncertainty and legal challenges: The potential for legal challenges to the DPF and the UK-US Data Bridge exists, but significant legal changes in the US provide a basis for optimism. Organisations relying on the UK-US Data Bridge to facilitate UK-to-US data transfers should approach the mechanism with flexibility in case they need to pivot to another transfer mechanism, such as the SCCs (e.g., by including an automatic trigger in relevant contracts to deal with any potential decision invalidating the DPF or the UK-US Data Bridge).
• Consistency and commitment: When certifying under the DPF, US companies must ensure that all of their actual practices are consistent with the commitments they are making to uphold the DPF Principles, not only at the time of certification but on an ongoing basis.

Panellist details:

Panellists for this discussion included:

• Emma Bate, Legal Director, UK Information Commissioner’s Office
• Kitty Rosser, Principal Lawyer (Legal Advice), UK Information Commissioner’s Office
• Travis Leblanc, Board Member, US Privacy and Civil Liberties Oversight Board, and Partner, Cooley LLP
• Clayton Northouse, Partner, Latham & Watkins LLP
• Chair: Fiona Maclean, Partner, Latham & Watkins LLP