The British government has officially confirmed that it will join the transatlantic data transfer agreement between the EU and the United States, adding an extension called the "UK-US Data Bridge". As early as June this year, the United Kingdom and the United States reached an agreement in principle on this arrangement. Today, the UK government confirmed that Secretary of State Michelle Donelan has moved ahead with the deal - which aims to boost digital commerce by allowing UK citizens' information to be exported to the US, guaranteeing people's information is adequately protected under the UK's data protection regime, also known as the UK GDPR, once it crosses the pond.
The Department of Science, Innovation and Technology (DSIT) wrote: "Adequacy regulations have been submitted to Parliament today (21 September 2023) to implement this decision. Once the regulations come into force on 12 October, UK businesses and organizations will be able to use this data bridge to safely and securely transfer personal data to certified organizations in the United States."
The need for the UK to strike its own data-sharing agreement with the US itself stems from Britain's exit from the EU. So it's no small irony that Brexit means that the UK will rely on (or, in government parlance, "extend") the framework established by the EU (in which UK lawmakers had zero input during the negotiation process) in terms of the data transfer agreement.
"The UK Secretary of State determined that the UK's extension of the EU-US Data Privacy Framework would not compromise the level of data protection of UK data subjects when their data is transferred to the US. This decision was based on their belief that the Framework maintains high standards of privacy for personal data in the UK," DSIT wrote today.
"In support of this decision, the U.S. Attorney General on September 18 designated the United Kingdom as an 'eligible country' under Executive Order 14086. This will allow all British individuals whose personal data has been transferred to the United States under any transfer mechanism, including those provided for in Articles 46 and 49 of the UK GDPR (General Data Protection Regulation), to have recourse to a newly established redress mechanism if they believe that their personal data has been unlawfully accessed by U.S. authorities for national security purposes."
The UK-US Data Bridge - also known as the "UK extension of the [EU-US] Data Privacy Framework" (DPF) - will enable US companies certified under the EU framework to register to receive UK personal data through the DPF.
While Donalan's decision to facilitate the flow of British data to the United States will be recognized by many as a sensible and rational approach, it also unveils the embarrassment of Brexit. Given that the DPF will face legal challenges in the EU, the UK's approach to building a US data bridge on the EU framework has raised questions about the durability of this arrangement.
Data protection experts believe the framework does not protect the data of citizens within the group to the same level as required. The previous two data transfer agreements between the EU and the United States were rejected by the EU's Supreme Court in 2015 and 2020 respectively. If the third blow causes the DPF to collapse, the situation will become even more embarrassing.
Still, with the EU Court of Justice no longer having jurisdiction over the UK, the UK's "Extended Bridge" scheme is likely to be the only surviving part, not to mention that the UK government is diluting domestic privacy standards.
The US data bridge is not the first data sharing agreement signed by the UK after Brexit. The UK also reached a similar cooperation with South Korea in July 2022.