Insights UK-US data bridge legislation passed


The EU-US Data Privacy Framework is a bespoke, opt-in certification scheme for US organisations that facilitates the transfer of personal data between the EU and the US in compliance with GDPR. It includes a set of enforceable principles and requirements that must be met in order to be able to join the Framework. Once a US organisation has been certified as meeting the requirements, it will be placed on the Data Privacy Framework List.

On 21 September 2023, the Data Protection (Adequacy) (United States of America) Regulations were laid before Parliament and will come into force on 12 October 2023. They create a UK-US “data bridge” based on the Government’s assessment that the US provides adequate standards of privacy for UK personal data for the purposes of the Data Protection Act 2018 and UK GDPR. This means that UK organisations can transfer personal data to US organisations appearing in the Data Privacy Framework List as participating in the “UK Extension to the EU-US Data Privacy Framework”, without the need for further safeguards such as execution of the UK’s International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses.

Under the scheme, only transfers of personal data to US organisations on the list are permitted (which does not include, for example, banking, insurance and telecoms companies) and not all types of data may be transferred. The government has published supporting documents which provide more detail on the requirements and limitations of this transfer mechanism.

For more information, click here