The realities of UK-US data bridge as a viable option for international personal data sharing

Where personal data is transferred from the UK or EU to a “third country” (or can simply be accessed abroad), unless that country is deemed to provide an adequate level of protection to such data, implementing alternative safeguards is a mandatory step which data exporters must take before transfers take place.

The eagerly awaited UK to US personal data bridge is now in effect to provide an “adequacy decision” in favour of the US and promising the removal of other cumbersome safeguards. However, it appears that actually making use of this is not necessarily a straightforward process. We explore the steps (and fees!) involved to make use of the data bridge and whether other alternative options are in fact more attractive.

To utilise the data bridge, organisations must voluntarily self-certify via the Data Privacy Framework (DPF) Programme. This self-certification must be repeated annually. Organisations must ensure they comply with a set of prescribed principles and submit various documentation as evidence of compliance.

The following are important points to note:

  1. Only US legal entities subject to the jurisdiction of the Federal Trade Commission (FTC) or the US Department of Transportation (DOT) are currently eligible to participate in the DPF program.
  2. Organisations must have (or put in place) a DPF-compliant privacy policy.
  3. Companies must provide an independent recourse mechanism to investigate unresolved complaints brought by individuals under the DPF Principles and provide appropriate recourse free of charge to the affected individual. A reference to this and a contact number should be added to the privacy policy.
  4. A financial contribution must be made to the Annex I Binding Arbitration Mechanism (from $250 to $10,000 depending on revenue).
  5. Various attestation and assertions should be made when self-certifying and companies must ensure these practices can be verified. The information that must be provided includes organisation details, a description of the organisation’s activities which involve the transfer of personal data, the independent recourse contact details and various organisation characteristics.
  6. A contact must be designated within the organisation responsible for DPF compliance.
  7. A self-certifying fee is payable based on the company’s annual revenue (varying from $250 to $3,250).

It is clear that using the new data bridge is likely to be a time-consuming process initially and may be more burdensome than other options available to companies looking to transfer personal data from the UK and EU to the US. However, where a company has the time and resources to do so, it is likely to increase customer trust in that organisation’s data protection practices, due to the public nature of the certification and will inevitably save the company time where data is shared with numerous UK-based entities.

A popular alternative mechanism is to put in place an international transfer agreement after completing an international transfer risk assessment. Depending on whether UK or EU personal data is involved (or both) various sets of prescribed clauses can be implemented between the exporting and importing entities to ensure compliant transfers.

Madeleine Rhodes