Question of the month – The UK/US data bridge (UK extension) is now in force. What does this mean for transfers from the UK to the US?

The UK-US Data Bridge, which is an extension of the US/EU Data Privacy Framework (DPF) was announced on 21 September 2023 and entered into force on 12 October 2023. Under certain conditions, entities in the UK will be able to transfer personal data from the UK to entities in the US which are certified under the UK extension of the DPF and who appear on the DPF list, without using safeguards such as Binding Corporate Rules and Standard Contractual Clauses.

There are limitations on the types of organisations that can sign up to the DPF and therefore the UK extension. They must be under the jurisdiction of the US Federal Trade Commission or the US Department of Transportation. The government has stated that organisations within the banking, insurance and telecommunications industry are therefore not covered at this time.

The government also states that journalistic data is not covered by the DPF and therefore is not covered by the UK extension.

There are some useful documents, including a fact sheet for UK organisations (which covers in more detail how to check if you can send information under the UK extension) on the website here.

The ICO, whilst considering it reasonable for the government to have made the adequacy regulation, has outlined four areas in which it considers there are risks to UK data subjects:

  • The definition of “sensitive information” does not align with the definition of special category data under GDPR and so UK organisations will need to specifically identify biometric, genetic, sexual orientation and criminal offence data as ‘sensitive data’ when sending it to a certified US organisation.
  • Even if it is identified as sensitive information, criminal offence data may not have equivalent protections to those set out in the Rehabilitation of Offenders Act 1974 which sets limits on the use of information on “spent” convictions as it seems there is no equivalent legislation in the US.
  • There is not a “substantially similar” right of protection from automated decisions which produce legal or similarly significant effects. In particular, there is no right to have a decision reviewed by a human being.
  • There is no “substantially similar right” to erasure or any unconditional right to withdraw consent.

The ICO assessment can be found here.


Don't just take our word for it