On 21 September 2023, the UK Government adopted the Data Protection (Adequacy) Regulations 2023, also referred to as the “UK-U.S. Data Bridge”. The UK-U.S. Data Bridge will allow companies to legitimately transfer personal data from the UK to the U.S. on the basis of the recently enacted EU-U.S. Data Privacy Framework (“DPF”).
The UK Government decided to facilitate data flows from the UK to the U.S. by taking advantage of the existing DPF and establishing a UK extension to the DPF. The DPF is built on key data protection principles aimed to safeguard personal data that is transferred to the U.S. In addition, the DPF provides individuals (whose data is transferred) with specific rights such as the right to obtain access to, correction, or deletion of their personal data, as well as new redress possibilities for individuals. Companies in the U.S. that “import” personal data from Europe can self-certify to the DPF, by having their name added to the DPF list and committing to adhere to the principles of the Framework.
According to the UK Secretary of State for Science, Innovation, and Technology, the UK extension to the DPF will enable companies in the U.S. to ensure the protection of personal data of UK individuals whose data is transferred to the U.S. (see the UK-U.S. Data Bridge explainer of the UK Secretary of State here).
The UK-U.S. Data Bridge will come into force on 12 October 2023. This means that, as of that date, companies in the UK will be able to transfer personal data to U.S.-based companies certified under the DPF, in compliance with the UK General Data Protection Regulation (“GDPR”) and without the need for putting in place additional compliance measures (such as the UK’s international data transfer Addendum).
The UK-U.S. Data Bridge can be viewed here, and other supporting documents of the UK-U.S. Data Bridge can be viewed here.