Personal Data Transfers: UK-US Data Bridge Opens on 12 October


3 mins

Posted on 09 Oct 2023

Personal Data Transfers: UK-US Data Bridge Opens on 12 October

The UK-US data bridge (the “Data Bridge”) will formally open on 12 October 2023. This will provide a new lawful safeguard for UK organisations to transfer personal data to certified organisations based in the US.

Requirements for International Data Transfers

The General Data Protection Regulation (GDPR) (and UK GDPR in the UK) prohibits personal data transfers to countries outside of the EU/UK unless adequate safeguards are in place. One such safeguard is an adequacy decision (Article 45 UK GDPR); the European Commission adopted an Adequacy Decision for EU-US Data Transfers on 21 July 2023, under the EU-US Data Privacy Framework (the “Framework”), and the Data Bridge is the UK’s extension to this.

The Data Bridge permits the transfer of personal data between the UK and US if the transfer is to a US organisation listed on the EU-US Data Privacy Framework. Any transfer of personal data covered by the UK GDPR will then be subject to the Framework.

The Framework outlines commitments to privacy obligations that US businesses must agree to when receiving EU individuals’ personal data. As a result of the Data Bridge, these commitments will apply equally when receiving UK individuals’ personal data. US businesses signed up to the Framework do not need to put into place additional transfer safeguards.

Next Steps

If relying on the Data Bridge, UK organisations must first check the recipient US organisation is listed as participating in the Framework. Some sectors cannot join (for example, banking, insurance, and telecoms organisations).

If an organisation cannot rely on the Data Bridge to transfer personal data to the US, one of the pre-existing appropriate safeguards will need to be used (e.g., the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses), or any available derogation under Article 49 UK GDPR. Organisations should also carry out a transfer risk assessment to validate the transfers.

The Data Bridge replaces the Privacy Shield, which was invalidated through the Schrems II litigation. While the ICO’s published opinion states that the Data Bridge provides an adequate level of data protection, there will likely be legal challenges. For example, privacy interest groups in the UK may well challenge the Data Bridge.

Organisations sharing personal data with organisations in the US under the Data Bridge should review their privacy policies and notices and update them to include information on the Data Bridge. If you have any questions on transferring personal data internationally, please contact our Data Privacy team.

Piers Leigh-Pollitt

Piers advises a mixture of corporates and individuals on a wide range of HR/employment law matters and data protection issues (mainly from an HR perspective). Piers is also the firm’s internal compliance officer and handles all regulatory and internal compliance matters. He also heads up the firm's Data Privacy team and holds the Practitioner Certificate in Data Protection (GDPR).

  • Partner & Compliance Officer for Legal Practice
  • T: +44 (0)118 951 6761
  • Email me

View profile

Mike Hibberd

Mike is an employment and data privacy law expert advising both organisations and senior individuals on a wide range of human resources and related issues.

  • Legal Director
  • T: +44 (0)118 951 6765
  • Email me

View profile

The articles published on this website, current at the date of publication, are for reference purposes only. They do not constitute legal advice and should not be relied upon as such. Specific legal advice about your own circumstances should always be sought separately before taking any action.

Back to top