US-UK data bridge: Everything you need to know

The US-UK data bridge marks a major step toward easing the complexity of transatlantic data transfers, experts say. 

Coming into effect officially on October 12, the US-UK data bridge forms part of the EU-US Data Privacy Framework, which permits the flow of EU-based data to the United States under certain conditions. 

The framework was formally adopted by EU lawmakers in July 2023, and replaces the EU-US Privacy Shield, which was deemed invalid by the European Court of Justice in 2020 amidst data privacy concerns. 

In June 2023, the UK and US reached an agreement in principle to extend the Data Privacy Framework, creating the data bridge between the two countries.

Sarah Pearce, partner at the Hunton Andrews Kurth law firm, says the introduction of the data bridge will create a more flexible and streamlined business environment for organizations operating on both sides of the Atlantic. 

“It’s fair to say that the EU-US Data Privacy Framework – and the add-on UK-US data bridge – represent critical steps forward in easing the current complexity of transatlantic data transfers and should be heralded as a success,” she says. 

Charlie Bromley-Griffiths, corporate counsel at Conga, echoes Pearce’s comment, but warns that businesses will be forced to assign a greater focus to data management and protection from now on. 

“This sets the tone for the future of business. From here onwards, enterprises will need to be scrupulous with their data management and ensure they have the right measures in place to comply with the new regulations. 

“A lot has changed in the last year, with the Electronic Trade Documents Act, [Northern Ireland] Protocol data sharing agreement and the Schrems II legislation all coming into effect; organizations will need to review their data architecture and contract clauses with their customers and partners.”

The US-UK data bridge explained

The data bridge essentially permits the flow of UK data to another country without the need for further safeguards, according to the UK government. 

In this instance, the data bridge takes into account the level of protection provided by the recipient country – the US – and its handling of UK data.

The UK government is satisfied current US data protection and privacy regulations are adequate to support the data bridge, and that personal data will be protected to a level on-par with the Data Protection Act 2018.

“The US data bridge will ensure that high standards of protection for personal data are maintained when the data is sent to certified US organisations,” the government said in an explainer on the issue. “Any US company that elects to receive UK data under the data bridge will be required to maintain those standards.”

Initially, concerns around data protection and privacy practices in the US were a key stumbling block for EU regulators,  especially the potential use of data for surveillance purposes. 

Long-term, the UK government believes the establishment of the data bridge will unlock growth for businesses, enabling them to share information for research and support science and innovation in both the UK and US. 

US-UK data bridge: Lingering concerns

Pearce said that questions surrounding the data bridge still remain, particularly among privacy rights campaigners such as Max Schrems. 

The campaigner has argued that changes made to US data privacy rules to accommodate for the framework “do not address fundamental surveillance issues”, Pearce added. 

“It’s very likely that this type of criticism will provide ammunition to potential [legal] challenges, and we should expect that the courts will, again, be asked to assess whether the new safeguards are sufficient to be considered essentially equivalent to the safeguards in the EU and the UK,” she said. 

“Schrems has already publicly stated he will appeal the adequacy decision in respect of the framework,” Pearce added. “Whether such challenges will be successful, however, is another matter.”