UK bolts US 'data bridge' deal onto EU-US Data Privacy Framework

Image Credits: Cavan Images/Toby Harriman (opens in a new window) / Getty Images
  • Oops!
    Something went wrong.
    Please try again later.

The U.K. government has officially confirmed it will piggyback on a transatlantic data transfer deal between the European Union and the U.S. by bolting on an extension that is dubbed the "U.K.-U.S. data bridge."

Back in June, the U.K. and U.S. reached an agreement in principle over this arrangement. Today the U.K. government confirmed that secretary of state, Michelle Donelan, has moved forward with the deal -- which is intended to grease digital commerce by allowing for U.K. citizens' information to be exported to the U.S. under an assurance of adequate levels of protection for people's information, in line with the UK's data protection regime (aka the U.K. GDPR), once it's over the pond.

"Adequacy regulations have been laid in Parliament today (21 September 2023) to give effect to this decision," the Department for Science, Innovation and Technology (DSIT) wrote. "UK businesses and organisations will be able to make use of this data bridge to safely and securely transfer personal data to certified organisations in the US, once the regulations come into force from October 12."

The need for the U.K. to have its own data sharing deal with the U.S. itself flows from the country's exit from the European Union. So there is no small irony that Brexit, in the case of data transfer deals, literally means the U.K. is leaning on (or "extending" in government parlance) a framework established by the bloc (to which U.K. lawmakers had zero input during negotiations). RIP irony indeed.

"The Secretary of State has determined that the UK Extension to the EU-US Data Privacy Framework does not undermine the level of data protection for UK data subjects when their data is transferred to the US. This decision was based on their determination that the framework maintains high standards of privacy for UK personal data," the DSIT wrote today.

"Supporting this decision, the US Attorney General, on September 18, designated the UK as a ‘qualifying state’ under Executive Order 14086. This will allow all UK individuals whose personal data has been transferred to the US under any transfer mechanisms (i.e. including those set out under UK GDPR [General Data Protection Regulation] Articles 46 and 49) access to the newly established redress mechanism in the event that they believe that their personal data has been accessed unlawfully by US authorities for national security purposes."

The U.K.-U.S. data bridge -- aka the “UK Extension to the [EU-US] Data Privacy Framework” (DPF) -- will enable U.S. companies that are certified under the EU framework to sign up to be able to receive U.K. personal data through the DPF.

While Donelan's decision to grease the flow of U.K. to U.S. data will be cheered by many as the sane and rational thing to do, unpicking another of Brexit's myriad harms, the U.K. building its U.S. data bridge atop the EU's framework does raise questions over the durability of the arrangement given the DPF is set to face legal challenge in the EU.

Data protection experts argue it does not protect the bloc's citizens' data to the required equivalent level. And the prior two EU-U.S. data transfer deals were struck down by the bloc's top court, in 2015 and 2020. If a third strike were to bring the DPF tumbling down, one question would be what happens to the U.K.'s bolt on arrangement?

Albeit, since the EU court of justice no longer has jurisdiction in the U.K., it's possible the U.K.'s bolt on extension bridge might just be the only bit that survives. Not least because the U.K. government is also in the midst of watering down domestic privacy standards . . . 😬

The U.S. bridge is not the first data sharing deal the U.K. has inked post-Brexit; that was the adequacy decision it took back in July 2022 with South Korea.